23542300x8000000000000000327544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:10.859{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF523DAC84808B150964A4E9385F67C,SHA256=F1FDC1E01F0D3B8B017D46D1048AC4D03991A2EA7042968762879E11E2C3BE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.505{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE409522144A24CC30D653D2055516D9,SHA256=3F827E5DD42D9170F31735916C407226B84D1295D62E5188EE8C2A77A7721285,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:08.765{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56021-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:08.653{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62080-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000315696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:08.653{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62080-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 10341000x8000000000000000315695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000327545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:11.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3818F6DEB0779FADB1D60EA257D53F,SHA256=1AD323FA1BFA3B75614AFC294EEB43884F3E32AD83A4689A7958BDBD015620C8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.488{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.471{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.471{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000315751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.254{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.254{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000315738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.251{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000315715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000315710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.237{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000315703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.053{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.053{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000315762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.349{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62084-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.349{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62084-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000315760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:12.076{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE332D593DF8A244874D2CE47F99EE9,SHA256=8438A92A7984865A91E564F897DE2504762BBEEA9B02FA82DB5F3348F9427EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:12.076{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA8FC0ADC4CEA7A79F55608F3795C87,SHA256=43B69064E7F3FD93054E14D3F15605A457FB7B7E7BE3D83F6FA20350CB5DC446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.513{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62082-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.513{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62082-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.338{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62081-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.338{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62081-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62086-false10.0.1.12-8000- 23542300x8000000000000000315763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:13.198{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F91F2AAECC09A15A6601BF0F210557,SHA256=BA577894E314A777E65A4EFD34E0C48EC27C55B6A344A175ECC66D6779F9FA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:11.058{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56023-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:10.937{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56022-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:13.075{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BD02AAB21246FE696F71AE9D1C5722,SHA256=86CFEFE3B3465CBAE53C6A2A58574262713F589B802F9B920299DEA9B101CCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:14.314{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47044BC37909734036D672F7B1746D20,SHA256=361C4419AE8B6942566A9C19193224CF82EB3DC0191D2F60CCD97D4BBB3FEAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:14.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CF9CF4F3E4A127BE3A36851C74451E,SHA256=1BC299B9E35B0CFA5F75395BCAF016AEAC9F82A0E55B13D9A21FC104865A9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:15.415{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ADD58592C65A89F654ECECE784217F,SHA256=1BB71665F56CF38BD2BD14AB2CD5A9A4EDDECB1E5AD1B26B305C07480ADBD39D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.983{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 11241100x8000000000000000327553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.875{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 10:27:15.873 23542300x8000000000000000327552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.874{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000327551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.873{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 10:27:15.873 23542300x8000000000000000327550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.294{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFAF5DE2E1A51034ACFF9A5193E1171,SHA256=725808E8C63A16FAA22AA5EAF5107A34E8061B6D0A9995A6BF9596328E8133BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:16.546{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A06AF31D52735D03C3F572CF857097,SHA256=9CEC4CED26EF4D99BF465D114BBBA5BE1CB23B6CB13076C776342AD4B0A68F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.611{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3373A414FE6EB11F9453CA276DBF45,SHA256=F938A1F733ABEB8128D899AD53558A193313FD79CB08C91B7E1944AC5DA57E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:13.241{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56024-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000327603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.304{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.301{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.298{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.280{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.278{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.270{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.245{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.243{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.242{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.223{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.193{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.177{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.170{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.166{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.160{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.157{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.154{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.152{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.140{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.135{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.132{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.128{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.105{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.096{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.080{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.070{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.062{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.034{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.027{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.020{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.012{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.002{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000315768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:17.632{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9517A6754EAB1A800F2155A5404DA938,SHA256=572726EFAA9EF6E7C9D7E19193414A07E3308B0C873C995F6BBD78854FE43734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:17.394{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6D56662836A148BF6F45727F23FC23,SHA256=1BD4FEA023488C48C47D040033FCCCD3CE07ADF1287C0BA9FE26328A20B09086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:18.747{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDE4D4A0DE5C07F503D5BFDD419A9DE,SHA256=03536A1C893DE92BDC76C6ECD45ABEC7C6A123E17D62415D53771E5162C81984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:18.510{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C355EB59A1A001D48585960A90179A9,SHA256=4F3118ABA50D3E62C2C44EDD08DAE1FADD9E12A6C9DAA4F9097B05B912103EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.540{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56025-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:19.878{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF4720DE33D37ADAB6C06881E5567FF,SHA256=BA1483A456920065595F476FA8E3118DF5D7A4F8DE1378CCEB5DDD02A0FEA8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:19.612{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B1C00ECCCED2C8249DCC4C6B017CB7,SHA256=94CFEAEA48B8BC63551AC6FEC12F41CFD86F4B55712D00B452B86F13565B828E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:16.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62089-false10.0.1.12-8000- 354300x8000000000000000327610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:17.710{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56027-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.920{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56026-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:20.915{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B8D20CECE2B5C3EBFD074B62814CF7,SHA256=484FE5084A087844C44BF062A511A16E5D0323C5283F0FA6ED5C98834D02BCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:20.740{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53E80D7D8424D194E150E6CEEF513F4,SHA256=A5349F06FF3E66B144AC79A9B75C035EC4F47A90542CEDDC075D5D703102BE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:21.873{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55266DC35FAE2662ECF1D0FB9C17C591,SHA256=93C1B7A1DD684FCCB37BD297F88C971B1F2A0A44CDCE11E9D1091FA6238EF638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:21.015{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:22.994{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D49554D59AA06C2432F998D51BC865,SHA256=451596F1B936EF918DE51951BD6F49E07F46936265EA47C2C14F95DA9797C725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:22.046{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B221743E8BDF3B0B18C36D312C3073C9,SHA256=D21E4092CD7A2C989ECCDF93E16E8577B938E12B1640ADE62D5EC49A8118B7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:19.980{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56028-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:23.176{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEEF22D7902E5C5554DA6E7BA23196B,SHA256=CE5CBD8A23275AC548060826092E1C754CE032885EA813C6102796A05171F69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:20.471{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62092-false10.0.1.12-8089- 10341000x8000000000000000315795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.741{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.734{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.730{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.728{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.726{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.692{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.685{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.673{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.666{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.658{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.648{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.636{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.619{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.605{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.595{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.581{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.487{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.482{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000315777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.294{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4161034541F7A7F5088D0F8B390829,SHA256=F53D7DC512C10A73F9CAFE223A7341CD165F7E6001E313B92837BCF55AF29758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:22.260{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56030-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000327617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:21.958{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56029-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:24.109{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0628CF6CDD248495C00678ACA75314,SHA256=16EE68B0E1CCF790B4E5F919EB4E65ABF0E3C2B2C4FCE57AE47BFFE5FB186105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:25.693{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=570F268EB737516B6632C7C9A3D9BB75,SHA256=0977F3CF3002626AF1E1E86FBE0D929DF34C9BD48BC2134BDF9C3DC838497BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:25.241{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B67F75F34211319BBE11251EADF043,SHA256=93526E53D13A6921B8F9849EFAA0FDC9EA3E0E3718945C477EF5660B81C4467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.308{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEBCF7B9FC999832378ED5F89F24337,SHA256=9634EC54114EEEFD36FB5945FEBC791EEC04E44CAB21321AA69CD881B671DA08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:22.622{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62094-false10.0.1.12-8000- 10341000x8000000000000000315800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.218{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.215{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.211{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.207{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.206{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.767{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000315809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.765{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000315808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.764{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000315807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.762{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000315806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000315805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.759{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000315804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.758{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.378{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0091EEDCF4ABC5A3EE5C39E46A00CC62,SHA256=ECD2F1D47EE63859B335D9D98BCCD6CCA82B037148C0C30EC93528746755C7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:24.556{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56031-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000327621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.373{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB86DDFBA454B820587E589D83268F01,SHA256=4EF0A522E568518ECFAA8023A67413F4B4BBC99054A605D75A9908EB83E2A37C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.963{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.961{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.960{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.960{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.954{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.952{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.948{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.945{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.942{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.939{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.937{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.929{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.907{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.899{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.884{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.853{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.841{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.829{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.819{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.815{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.811{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.807{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.804{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.802{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.794{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.793{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000315820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.474{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6507A8ACC080659BF07FF3D89AE0B6,SHA256=AC2E641A4A7437E295E6478F0C1189721E9B2A7C3FE0303ED57DD644598EA846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:27.523{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3656784CF94CDB7342A1362CEEF1DE,SHA256=CD237DC799D5168C758E942CED6BC84009F128C6D90250FD257EAFBD1179B0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.285{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.283{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.270{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.268{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.261{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.029{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:28.550{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51FAB6322EF2D5E510AF49C872456BD,SHA256=562E98344B391E5197DCEB07CB85ED3106A5105B03276676064E6B22A838C3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.796{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-186MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.577{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1F32CA91909ACD3ED5C8DB539AE7B2,SHA256=04478DB04BB2A977CFACF32FCCBAEAB67B5BD6FC31A368EA25A7B5B7042A2929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.045{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.042{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2097961AC03803FFD18A79242FF4B8CE,SHA256=87B862B3C95FF1D3694B0AA58D8577940F15371CE82E370B8E2457AE47713A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.677{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E18BD5EC3056E494AAB9E629F4FDE2F,SHA256=47B3652E4D6CF5CA4E9EDFAD8FAB29476213C38C74A9870B28E0D264EDB9F505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.809{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-187MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.986{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000327629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.754{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56032-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.673{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE2E4CD3BE0C5FA786EF82CFA114FB0,SHA256=8EBCBDD82C0A90076B83B488513C2CE3BF64E47A92F0E1103C15563FD11A674A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a4-0x1cedda7b) 10341000x8000000000000000315850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000315849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb04fae.TMPMD5=7C93E0E6DCAB68B9BCC4A82C8177A955,SHA256=A68F241C43CB569619FD463D3B05D59F2CDDBA1A0B0BFA98F8E433A34B35189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:30.914{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B809C32DD3C431BFE7C2D646609F014,SHA256=C90EA437F4452DB8C8237C65FDE0528E3360CEA6F4F12165211D4A127E214037,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.056{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56034-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:30.740{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B3F237F27BB54DAA14FB6A6E5FB1CC,SHA256=341162636F3FFE228B44D0D7C2B12A592E20B9E6148537F5CE57AD1BB002B552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.840{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5709A55C9F99891AB0EC91B5A01BCD,SHA256=46635D8A07FD337A4BA831F03E9C152E48C35F4D05273574928760EF088A4077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:28.506{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62098-false10.0.1.12-8000- 23542300x8000000000000000327635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:32.956{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B02197E41E1CBA3C62A28703CF5A341,SHA256=EAB93361321D6B69570EDED42D13255E5D587CAA84F495FC501461144EE744DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:32.272{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=153B9E08A459E93661A0F90A97BC81F0,SHA256=03B501A0FE4473674FDD94CF164FD41763311C553DA9ECF598A207D45C9E8091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:32.029{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DDC96F24ACA7B47627645D05681353,SHA256=A3A04382968A91D6FAA26E8D74222B892CCF4824CEC8FA1C60228C04E7D65D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:33.145{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3535E5D97E7A92B6E46D56C6DC2BB1B2,SHA256=674E4649E7939BC2F08B53F9E82A6641AB407C1FCD34738B7BE5675A799ED289,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.324{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56035-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:34.875{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DB076A8A5D000D7C0F9A63C1EFCCC678,SHA256=FE1DF4D47CF6C3ABB667D7DE0796AEFA84BA40ECEB42C09D0E3F5A71D9EEA330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:34.261{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5821B6C788B7D73B7EE47562A381345E,SHA256=97809CD84DE671FABFF3D1CB23190580F4FD3096BEE5C64046FDAE5FB8E72BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.988{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:34.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC51442E983765B093DE27BD4B7C659C,SHA256=48F5C210B672F0B3EE3599E0E474D9D6A7F9E354B761AE23D72ACAC682CE7584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:35.393{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234758A06529E3D04D2B112A7D3258CD,SHA256=5FD504C236755A620F20D338E4050DC69814EA3DB321483E3173CDB5EA7FAE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.987{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000327640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:33.608{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56037-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.193{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FE418E5AF5208E91F5D698B9182C43,SHA256=B966A495C0626A325856D39C02FA1EB1434E88B2CC4174654A80996307D187F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:33.556{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62101-false10.0.1.12-8000- 23542300x8000000000000000315861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:36.512{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C68608E3FFD0CCC7734003AD9E122CB,SHA256=99436DBB127BD1A21CBFCE637D60FF9331B46446BC387EB42319AAF3F38D257C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.438{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.436{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.432{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.428{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.425{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.421{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.417{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.412{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.404{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.394{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.379{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.344{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.342{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.341{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.325{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.269{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000327673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.266{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B694DCE9000B18E2CC25F528FC1EC7,SHA256=5B682562AB5D29602284CA29BCF8B775CC17319D63152004A728729BA19E9241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.261{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.247{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.226{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.223{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.220{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.217{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.215{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.212{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.207{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.191{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.186{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.165{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.086{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.080{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.070{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.054{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.019{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.999{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000327693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.893{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56038-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:37.756{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C5BE9C7C9AC7102F91446A27EE7EAF,SHA256=B0614737EA5940A83FBD19DAFCB9007BF0F28958D33FA84F24A49881C00CAFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:37.759{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=054FC64FCCDC51ECBCA3EB1558339303,SHA256=486701818604CDADF3AE16C2D213BC550FE73131167362A3451FDBE59FAC871C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:37.612{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D2F2E9D1D4081BF6DD60A35CBEA54,SHA256=4FD139E237EBC2421DEBE9862FDF5F31B3EBEECD4E247170D9B1DFC55E256B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:38.745{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01745B57C059AB22B43D767AB126D77,SHA256=4A00C2516A31B504257D65CB14EC8C21AB902D0C2EA995CE517DBA4543E5ABB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.350{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000327699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.349{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000327698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.348{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000327697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.345{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000327696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000327695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000327694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.342{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:39.874{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98C5C9934938257AFD3845AB5D88A33,SHA256=6DE4C662B11342201351E74FD7BD7F106BA372F47328C21AB56E8282EA6B7F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.186{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56040-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.019{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.996{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B21DD7B26EBEA3742A1C2BB2974FFFF,SHA256=2551A0E5E08A031325AA4DCF7B4DF700C00435DC986FECAB003EBB7901B9937E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:40.965{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E14BBD47E836A396865D0EF163B40,SHA256=4EA7C2404A766EC911A01B21B9877B861DDFB2EDB7A918E63A87C4FC7FDA85FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:40.126{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A569A2AF7A683D8711AA8FDD01FE2A,SHA256=F04FD8628AC843F6347D3D48A3D85F27159495BEB15BD9AB02B8858540C19DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:38.720{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62105-false10.0.1.12-8000- 23542300x8000000000000000315867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:40.492{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-186MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:41.158{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E180FBF93D251B44113C28288E064B9,SHA256=FD48E25AB44E8C4FC425DFC4F120516D814DA32B9765540B782AED274A4D5934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:41.592{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2890E2C1B1053DB8ABEEA9D90ADB2296,SHA256=7ACB895A1CB6B13B5F9F7A00F23BCC40BCC8DBA1DB12B5669604ACEAFD1DC1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:41.492{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-187MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:40.380{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56041-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000327709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:42.195{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B0F6A15AA2B4073103CBB4C75E6458,SHA256=2595A6A887A192C3F617ECEDC5AF7CA5060962A92C86F535490E05F35D067703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:42.048{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688C2C9E507AC51318F8557568D6420,SHA256=8889B5050D0E2FAC4FDA9F17B9FAD00A3F6169F48458D06C01581D3C2342DD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.342{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EBC05CFDECE59603340EF68B2551AF,SHA256=4B65ED856A73AFE0BBC89B45113E27A6BF46D05AB8F3CDC991CF839B387A6DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:43.074{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90C46F7F73AFB69BB7711F4A089CF77,SHA256=56EA5D42CAB06DFBFE38414FF55D24D9E94567A611E17E8E56B32F45107E048C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.010{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99745B1610F0D59490F29896E8974605,SHA256=63D9BB0D1B08319AD9BFB2D05BBF374E4DFDCDEA1B427A350FECA0F9B023C50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.709{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.474{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45780187C88ED9AFFCEF7261413128C7,SHA256=5B75EA54A4F5BB7961AFE72822A4B5F1E39296EDF1B6AC03F57363E269EA4BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.683{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.676{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.672{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.669{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.666{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.637{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.631{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.619{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.610{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.602{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.591{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.584{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.573{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.565{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.550{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.538{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.478{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.473{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000315874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.191{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5627BE19A01656557E20493E23CD11,SHA256=FBDBA076ACBE9B963E712A8A59A65A9FDC017D525F5D18751B6C83DE0F4EE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.517{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B138F6EF6B6E2D48C321994A4545C3D8,SHA256=9C74F2D05BA6B612873C2DB165B035D8C9895946129525FB12D4916CB6A1493B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.428{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F042D0D08AAD69D90E95845EA49EBE,SHA256=6410640A43434E14D945C76D24DB70ACBCFE91FFF91DD2F612185F2318AE2143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000327715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:42.660{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56042-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.160{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.157{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.153{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.150{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.148{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000327722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:46.639{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786B697E412E11942D8C106B355FBA87,SHA256=6C76C306A8DBADD3F51FBAD178612DE2F8505386E4BA14ED69001418C4CDAC4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.601{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62109-false10.0.1.12-8000- 23542300x8000000000000000315899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:46.559{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D6E0E23CB48656EE56AAC2CD0F4C3D,SHA256=A8C1196F71DD96F5D8F1A1D5FFBF9D4324050753C77C7F48D660E05050254DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.456{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56044-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000327720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.856{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56043-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:47.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760D4118915F38490632B4A21B6893B,SHA256=78090BD784998B3365B0F24E73D132626EC41C7036C930F67DC9DC0B368F26BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.935{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.932{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.928{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.927{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.924{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.921{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.917{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.913{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.907{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.903{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.900{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.885{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.858{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.851{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.836{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.806{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.797{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.784{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.777{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.776{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.773{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.770{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.767{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.766{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.762{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.759{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000315906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.674{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7788F61A3DE6493A47F7EF2E7543B,SHA256=E194467E58FDF17689E990A1145BD481C255F65303CAD8E88D18914F6D607DEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.939{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56045-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.252{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.250{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.234{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.233{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.227{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000327725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:48.854{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139C50FE73DA0A401301126130F5A5B6,SHA256=3D76EBC4E247888D62722018FE2B6A5879D046AB7E6CF32ACABC30893F05528D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:48.774{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE49920B5750EBEE25010AB2C749835,SHA256=F67AD76A4A8B3FC20805795401296817A1A74370C2D31974BC2A914AA43AF689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.972{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F75921C61AA6646492B4222EE9BD12,SHA256=48C7657FE9F6E50650E2FB2E7FF8982B694152720D159C85367812CA4BC56408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:49.873{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389DB72F9E617A34DE94D8E8A59E9CCA,SHA256=81D5F9D7182D2BC9B684145D3D53069167F1AD339F92B2853E10F6CD2E74C633,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:47.154{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56046-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.450{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56047-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:51.106{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09DF5273F391F5265DDAB63C8DD1EAC,SHA256=0935504402159607DADFDEFF17B615C4982620A122A056B29AD7D273E8864798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:51.010{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE02264E11B907B39DC5CD42961A2E2,SHA256=C35EEC3697CE9D7C41A463A685572679CD05F2F07CF3F15323735F503FCABC51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.885{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56048-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:52.252{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E27758FD755C92578002A1841BD7FC,SHA256=DCD211917A826A06F788E53D72B338FD51255503376C5CB4B605679C9CC7842F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:50.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62113-false10.0.1.12-8000- 23542300x8000000000000000315936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:52.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C537EE54122E2D58BBD94EAAF2B5E,SHA256=084CBF46EBBEE943B43E87CE2F6D0F7E211C1A30CF06C475C9828E15CF962EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7BF223B805298F89AA9F58FEC6F4E5,SHA256=A2FA03D4F6D5A519F6C947BCFAF1429677A64B4E684F4EBDC289180A9209D26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B04EDBB9161E72FE58253C741403B3DB,SHA256=DCFCC2900B44BE9104816191827C0AD2D1B10AD43F0035E228DDB623BC6D5EB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000327787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.320{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000327786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.305{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000327785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.305{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000315938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:53.155{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9640ACC85BB9C09DFE69275CA96CA679,SHA256=28BC79AD3B2171E6AAE4EB78DB145E88AD43BB7BD549CF1016C4DC298BE45B64,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000327784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000327764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000327763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000327750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000327748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000327745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000327737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.137{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000327792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:54.389{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D664C9248394A0E1D6B185B0D684EC0F,SHA256=0F0D2F06E9EA2067F2CB17ED96147C79BFBC4F89487FFFBF56833A87D108342F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:51.652{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56049-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:54.188{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215EE900476B5C8B20CFD19DC4A81AF8,SHA256=2117B93BA295918E92039BCA4F96EDC00F5B586477D1F0ABEB03126CF968DA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:54.223{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C828CE18BC4CC565819B3B7591D01C,SHA256=6F7B7E13A819B358DDF7BEB69C8DFF59345BCEAA2906165589FA72E87F410602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:55.388{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B090AC5602456D6548473E06DF6F9CD,SHA256=61D4B3E8896E6C3ECBFA6BFE4CB9FB81B53F3B951A41046AB379477A72603821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}28005988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000327847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000327846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000327837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000327824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000327822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000327810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000327807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000327804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.468{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000327793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.389{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D965168FECCAA389852CFDB719D6082,SHA256=C2B7276A9EC76CD7554270BCC6BA7ADD4C6DC4C7BAF52385F3B99FA22B7CA55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.539{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E23B65B5BE5B6CDE57B368C78B55333,SHA256=C3736EE18D62F8E20A6E36EC1EE90F49FAA26793BFDECFB55CF37947593AA750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.987{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.987{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.789{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9ABDA4CEA7353E3F0AF507F210B6333F,SHA256=26847555ECB320B0EA1EB7702209E50E73331693DCB65AA1BADF0F7B8861369F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.488{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC4AD9D3BEF65EFF914CB4BD707FDCC,SHA256=D2EFBAFBC76BBCE59FF36B0E9E52EFEE1B9411E01A2918A9ED29CC8AE34B392A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.380{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.378{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.375{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.373{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.371{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.369{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.366{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.359{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.355{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.352{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.343{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000327952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.935{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56050-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000327951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.319{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.319{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000327949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.316{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000327947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.314{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000327944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.301{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.288{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.256{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.245{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000327939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.234{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB7166A995FAED43D55173CB90A872C,SHA256=38D16D7AEEA5A01FB6501012ED6A1E7A3A7A9900F161C6157E7F12CDD5FD47EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.225{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000327936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.224{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE8C7F4BF24B59FBFCF3E2F71E76503,SHA256=E20711E19C5B235351DEE75ADD348B4B4DA82624AAC4FD0C47F4104EE73B11CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.164{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.164{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.163{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.162{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.161{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.160{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.160{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.159{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000327925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000327905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000327903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000327900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 10341000x8000000000000000327899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000327897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000327896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000327893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000327889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000327883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.142{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.136{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000327874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.137{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.097{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.092{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b