23542300x8000000000000000327544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:10.859{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF523DAC84808B150964A4E9385F67C,SHA256=F1FDC1E01F0D3B8B017D46D1048AC4D03991A2EA7042968762879E11E2C3BE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.873{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.505{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE409522144A24CC30D653D2055516D9,SHA256=3F827E5DD42D9170F31735916C407226B84D1295D62E5188EE8C2A77A7721285,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:08.765{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56021-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000315697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:08.653{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62080-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000315696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:08.653{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62080-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local135epmap 10341000x8000000000000000315695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.036{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000327545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:11.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3818F6DEB0779FADB1D60EA257D53F,SHA256=1AD323FA1BFA3B75614AFC294EEB43884F3E32AD83A4689A7958BDBD015620C8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000315754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.488{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000315753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.471{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000315752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.471{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000315751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000315750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000315749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000315748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000315747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000315746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000315745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.257{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000315744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.254{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000315743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.254{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000315742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000315741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000315740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000315739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000315738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000315737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000315736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.252{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.251{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000315732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000315730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000315729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000315727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000315725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000315723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000315722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000315721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000315720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000315718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000315717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000315715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000315710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.235{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.237{D25361F1-FCFF-6305-0E06-000000007502}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000315703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.053{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.053{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000315762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.349{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62084-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:10.349{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62084-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000315760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:12.076{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE332D593DF8A244874D2CE47F99EE9,SHA256=8438A92A7984865A91E564F897DE2504762BBEEA9B02FA82DB5F3348F9427EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:12.076{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA8FC0ADC4CEA7A79F55608F3795C87,SHA256=43B69064E7F3FD93054E14D3F15605A457FB7B7E7BE3D83F6FA20350CB5DC446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.513{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62082-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.513{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62082-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.338{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62081-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:09.338{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62081-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000315764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:11.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62086-false10.0.1.12-8000- 23542300x8000000000000000315763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:13.198{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F91F2AAECC09A15A6601BF0F210557,SHA256=BA577894E314A777E65A4EFD34E0C48EC27C55B6A344A175ECC66D6779F9FA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:11.058{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56023-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:10.937{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56022-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:13.075{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BD02AAB21246FE696F71AE9D1C5722,SHA256=86CFEFE3B3465CBAE53C6A2A58574262713F589B802F9B920299DEA9B101CCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:14.314{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47044BC37909734036D672F7B1746D20,SHA256=361C4419AE8B6942566A9C19193224CF82EB3DC0191D2F60CCD97D4BBB3FEAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:14.176{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CF9CF4F3E4A127BE3A36851C74451E,SHA256=1BC299B9E35B0CFA5F75395BCAF016AEAC9F82A0E55B13D9A21FC104865A9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:15.415{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ADD58592C65A89F654ECECE784217F,SHA256=1BB71665F56CF38BD2BD14AB2CD5A9A4EDDECB1E5AD1B26B305C07480ADBD39D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.986{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.983{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 11241100x8000000000000000327553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.875{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 10:27:15.873 23542300x8000000000000000327552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.874{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000327551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.873{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\AlternateServices-1.txt2022-08-24 10:27:15.873 23542300x8000000000000000327550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.294{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFAF5DE2E1A51034ACFF9A5193E1171,SHA256=725808E8C63A16FAA22AA5EAF5107A34E8061B6D0A9995A6BF9596328E8133BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:16.546{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A06AF31D52735D03C3F572CF857097,SHA256=9CEC4CED26EF4D99BF465D114BBBA5BE1CB23B6CB13076C776342AD4B0A68F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.611{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3373A414FE6EB11F9453CA276DBF45,SHA256=F938A1F733ABEB8128D899AD53558A193313FD79CB08C91B7E1944AC5DA57E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:13.241{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56024-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000327603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.304{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.301{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.298{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.292{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.289{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.280{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.278{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.270{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.245{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.243{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.242{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.223{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.193{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.177{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.170{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.166{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.164{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.160{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.157{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.154{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.152{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.140{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.135{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.132{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.128{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.120{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.105{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.096{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.080{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.070{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.062{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.034{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.027{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.020{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.012{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 10341000x8000000000000000327556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.002{F6DB49F2-D1B7-6305-CA00-000000007602}48606020C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019B4E190) 23542300x8000000000000000315768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:17.632{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9517A6754EAB1A800F2155A5404DA938,SHA256=572726EFAA9EF6E7C9D7E19193414A07E3308B0C873C995F6BBD78854FE43734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:17.394{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6D56662836A148BF6F45727F23FC23,SHA256=1BD4FEA023488C48C47D040033FCCCD3CE07ADF1287C0BA9FE26328A20B09086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:18.747{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDE4D4A0DE5C07F503D5BFDD419A9DE,SHA256=03536A1C893DE92BDC76C6ECD45ABEC7C6A123E17D62415D53771E5162C81984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:18.510{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C355EB59A1A001D48585960A90179A9,SHA256=4F3118ABA50D3E62C2C44EDD08DAE1FADD9E12A6C9DAA4F9097B05B912103EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:15.540{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56025-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000315771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:19.878{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF4720DE33D37ADAB6C06881E5567FF,SHA256=BA1483A456920065595F476FA8E3118DF5D7A4F8DE1378CCEB5DDD02A0FEA8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:19.612{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B1C00ECCCED2C8249DCC4C6B017CB7,SHA256=94CFEAEA48B8BC63551AC6FEC12F41CFD86F4B55712D00B452B86F13565B828E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:16.669{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62089-false10.0.1.12-8000- 354300x8000000000000000327610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:17.710{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56027-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:16.920{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56026-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:20.915{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B8D20CECE2B5C3EBFD074B62814CF7,SHA256=484FE5084A087844C44BF062A511A16E5D0323C5283F0FA6ED5C98834D02BCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:20.740{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53E80D7D8424D194E150E6CEEF513F4,SHA256=A5349F06FF3E66B144AC79A9B75C035EC4F47A90542CEDDC075D5D703102BE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:21.873{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55266DC35FAE2662ECF1D0FB9C17C591,SHA256=93C1B7A1DD684FCCB37BD297F88C971B1F2A0A44CDCE11E9D1091FA6238EF638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:21.015{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:22.994{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D49554D59AA06C2432F998D51BC865,SHA256=451596F1B936EF918DE51951BD6F49E07F46936265EA47C2C14F95DA9797C725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:22.046{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B221743E8BDF3B0B18C36D312C3073C9,SHA256=D21E4092CD7A2C989ECCDF93E16E8577B938E12B1640ADE62D5EC49A8118B7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:19.980{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56028-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:23.176{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEEF22D7902E5C5554DA6E7BA23196B,SHA256=CE5CBD8A23275AC548060826092E1C754CE032885EA813C6102796A05171F69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:20.471{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62092-false10.0.1.12-8089- 10341000x8000000000000000315795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.741{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.734{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.730{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.728{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.726{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.692{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.685{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.673{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.666{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.658{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.648{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.636{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.619{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.605{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.595{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.581{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.487{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.482{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000315777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:24.294{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4161034541F7A7F5088D0F8B390829,SHA256=F53D7DC512C10A73F9CAFE223A7341CD165F7E6001E313B92837BCF55AF29758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:22.260{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56030-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000327617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:21.958{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56029-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:24.109{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0628CF6CDD248495C00678ACA75314,SHA256=16EE68B0E1CCF790B4E5F919EB4E65ABF0E3C2B2C4FCE57AE47BFFE5FB186105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:25.693{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=570F268EB737516B6632C7C9A3D9BB75,SHA256=0977F3CF3002626AF1E1E86FBE0D929DF34C9BD48BC2134BDF9C3DC838497BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:25.241{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B67F75F34211319BBE11251EADF043,SHA256=93526E53D13A6921B8F9849EFAA0FDC9EA3E0E3718945C477EF5660B81C4467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.308{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEBCF7B9FC999832378ED5F89F24337,SHA256=9634EC54114EEEFD36FB5945FEBC791EEC04E44CAB21321AA69CD881B671DA08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:22.622{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62094-false10.0.1.12-8000- 10341000x8000000000000000315800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.218{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.215{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.211{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.207{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:25.206{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.773{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.767{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000315809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.765{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000315808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.764{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000315807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.762{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000315806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000315805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.759{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000315804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.758{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:26.378{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0091EEDCF4ABC5A3EE5C39E46A00CC62,SHA256=ECD2F1D47EE63859B335D9D98BCCD6CCA82B037148C0C30EC93528746755C7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:24.556{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56031-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000327621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.373{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB86DDFBA454B820587E589D83268F01,SHA256=4EF0A522E568518ECFAA8023A67413F4B4BBC99054A605D75A9908EB83E2A37C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.963{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.961{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.960{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.960{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.954{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.952{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.948{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.945{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.942{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.939{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.937{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.929{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.907{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.899{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.884{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.853{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.841{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.829{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.819{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.815{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.811{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.807{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.804{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.802{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.794{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.793{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000315820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.474{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6507A8ACC080659BF07FF3D89AE0B6,SHA256=AC2E641A4A7437E295E6478F0C1189721E9B2A7C3FE0303ED57DD644598EA846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:27.523{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3656784CF94CDB7342A1362CEEF1DE,SHA256=CD237DC799D5168C758E942CED6BC84009F128C6D90250FD257EAFBD1179B0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.285{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.283{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.270{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.268{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.261{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000315814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:27.029{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:28.550{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51FAB6322EF2D5E510AF49C872456BD,SHA256=562E98344B391E5197DCEB07CB85ED3106A5105B03276676064E6B22A838C3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.796{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-186MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.577{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1F32CA91909ACD3ED5C8DB539AE7B2,SHA256=04478DB04BB2A977CFACF32FCCBAEAB67B5BD6FC31A368EA25A7B5B7042A2929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.045{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:28.042{F6DB49F2-D657-6305-8E01-000000007602}5876WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mlzagqlp.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2097961AC03803FFD18A79242FF4B8CE,SHA256=87B862B3C95FF1D3694B0AA58D8577940F15371CE82E370B8E2457AE47713A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.677{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E18BD5EC3056E494AAB9E629F4FDE2F,SHA256=47B3652E4D6CF5CA4E9EDFAD8FAB29476213C38C74A9870B28E0D264EDB9F505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.809{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-187MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.986{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000327629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:26.754{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56032-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.673{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE2E4CD3BE0C5FA786EF82CFA114FB0,SHA256=8EBCBDD82C0A90076B83B488513C2CE3BF64E47A92F0E1103C15563FD11A674A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000315851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a4-0x1cedda7b) 10341000x8000000000000000315850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000315849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:29.529{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb04fae.TMPMD5=7C93E0E6DCAB68B9BCC4A82C8177A955,SHA256=A68F241C43CB569619FD463D3B05D59F2CDDBA1A0B0BFA98F8E433A34B35189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:30.914{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B809C32DD3C431BFE7C2D646609F014,SHA256=C90EA437F4452DB8C8237C65FDE0528E3360CEA6F4F12165211D4A127E214037,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:29.056{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56034-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:30.740{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B3F237F27BB54DAA14FB6A6E5FB1CC,SHA256=341162636F3FFE228B44D0D7C2B12A592E20B9E6148537F5CE57AD1BB002B552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.840{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5709A55C9F99891AB0EC91B5A01BCD,SHA256=46635D8A07FD337A4BA831F03E9C152E48C35F4D05273574928760EF088A4077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:28.506{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62098-false10.0.1.12-8000- 23542300x8000000000000000327635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:32.956{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B02197E41E1CBA3C62A28703CF5A341,SHA256=EAB93361321D6B69570EDED42D13255E5D587CAA84F495FC501461144EE744DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:32.272{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=153B9E08A459E93661A0F90A97BC81F0,SHA256=03B501A0FE4473674FDD94CF164FD41763311C553DA9ECF598A207D45C9E8091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:32.029{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DDC96F24ACA7B47627645D05681353,SHA256=A3A04382968A91D6FAA26E8D74222B892CCF4824CEC8FA1C60228C04E7D65D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:33.145{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3535E5D97E7A92B6E46D56C6DC2BB1B2,SHA256=674E4649E7939BC2F08B53F9E82A6641AB407C1FCD34738B7BE5675A799ED289,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.324{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56035-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:34.875{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DB076A8A5D000D7C0F9A63C1EFCCC678,SHA256=FE1DF4D47CF6C3ABB667D7DE0796AEFA84BA40ECEB42C09D0E3F5A71D9EEA330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:34.261{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5821B6C788B7D73B7EE47562A381345E,SHA256=97809CD84DE671FABFF3D1CB23190580F4FD3096BEE5C64046FDAE5FB8E72BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:31.988{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:34.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC51442E983765B093DE27BD4B7C659C,SHA256=48F5C210B672F0B3EE3599E0E474D9D6A7F9E354B761AE23D72ACAC682CE7584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:35.393{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234758A06529E3D04D2B112A7D3258CD,SHA256=5FD504C236755A620F20D338E4050DC69814EA3DB321483E3173CDB5EA7FAE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.987{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000327640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:33.608{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56037-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.193{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FE418E5AF5208E91F5D698B9182C43,SHA256=B966A495C0626A325856D39C02FA1EB1434E88B2CC4174654A80996307D187F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:33.556{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62101-false10.0.1.12-8000- 23542300x8000000000000000315861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:36.512{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C68608E3FFD0CCC7734003AD9E122CB,SHA256=99436DBB127BD1A21CBFCE637D60FF9331B46446BC387EB42319AAF3F38D257C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.438{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.436{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.432{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.428{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.425{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.421{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.417{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.412{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.404{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.394{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.379{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.344{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.342{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.341{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.325{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.269{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000327673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.266{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B694DCE9000B18E2CC25F528FC1EC7,SHA256=5B682562AB5D29602284CA29BCF8B775CC17319D63152004A728729BA19E9241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.261{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.247{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.235{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.226{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.223{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.220{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.217{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.215{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.212{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.207{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.204{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.191{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.186{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.165{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.111{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.086{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.080{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.070{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.054{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:36.019{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000327642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.999{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 354300x8000000000000000327693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:35.893{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56038-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:37.756{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C5BE9C7C9AC7102F91446A27EE7EAF,SHA256=B0614737EA5940A83FBD19DAFCB9007BF0F28958D33FA84F24A49881C00CAFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:37.759{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=054FC64FCCDC51ECBCA3EB1558339303,SHA256=486701818604CDADF3AE16C2D213BC550FE73131167362A3451FDBE59FAC871C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:37.612{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D2F2E9D1D4081BF6DD60A35CBEA54,SHA256=4FD139E237EBC2421DEBE9862FDF5F31B3EBEECD4E247170D9B1DFC55E256B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:38.745{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01745B57C059AB22B43D767AB126D77,SHA256=4A00C2516A31B504257D65CB14EC8C21AB902D0C2EA995CE517DBA4543E5ABB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.356{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.350{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000327699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.349{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000327698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.348{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000327697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.345{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000327696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000327695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000327694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.342{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:39.874{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98C5C9934938257AFD3845AB5D88A33,SHA256=6DE4C662B11342201351E74FD7BD7F106BA372F47328C21AB56E8282EA6B7F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.186{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56040-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.019{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:38.996{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B21DD7B26EBEA3742A1C2BB2974FFFF,SHA256=2551A0E5E08A031325AA4DCF7B4DF700C00435DC986FECAB003EBB7901B9937E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:40.965{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E14BBD47E836A396865D0EF163B40,SHA256=4EA7C2404A766EC911A01B21B9877B861DDFB2EDB7A918E63A87C4FC7FDA85FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:40.126{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A569A2AF7A683D8711AA8FDD01FE2A,SHA256=F04FD8628AC843F6347D3D48A3D85F27159495BEB15BD9AB02B8858540C19DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:38.720{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62105-false10.0.1.12-8000- 23542300x8000000000000000315867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:40.492{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-186MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:41.158{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E180FBF93D251B44113C28288E064B9,SHA256=FD48E25AB44E8C4FC425DFC4F120516D814DA32B9765540B782AED274A4D5934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:41.592{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2890E2C1B1053DB8ABEEA9D90ADB2296,SHA256=7ACB895A1CB6B13B5F9F7A00F23BCC40BCC8DBA1DB12B5669604ACEAFD1DC1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:41.492{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-187MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:40.380{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56041-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000327709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:42.195{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B0F6A15AA2B4073103CBB4C75E6458,SHA256=2595A6A887A192C3F617ECEDC5AF7CA5060962A92C86F535490E05F35D067703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:42.048{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688C2C9E507AC51318F8557568D6420,SHA256=8889B5050D0E2FAC4FDA9F17B9FAD00A3F6169F48458D06C01581D3C2342DD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.342{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EBC05CFDECE59603340EF68B2551AF,SHA256=4B65ED856A73AFE0BBC89B45113E27A6BF46D05AB8F3CDC991CF839B387A6DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:43.074{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90C46F7F73AFB69BB7711F4A089CF77,SHA256=56EA5D42CAB06DFBFE38414FF55D24D9E94567A611E17E8E56B32F45107E048C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.010{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99745B1610F0D59490F29896E8974605,SHA256=63D9BB0D1B08319AD9BFB2D05BBF374E4DFDCDEA1B427A350FECA0F9B023C50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.709{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.474{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45780187C88ED9AFFCEF7261413128C7,SHA256=5B75EA54A4F5BB7961AFE72822A4B5F1E39296EDF1B6AC03F57363E269EA4BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.683{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.676{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.672{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.669{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.666{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.637{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.631{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.619{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.610{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.602{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.591{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.584{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.573{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.565{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.550{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.538{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.478{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.473{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000315874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.191{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5627BE19A01656557E20493E23CD11,SHA256=FBDBA076ACBE9B963E712A8A59A65A9FDC017D525F5D18751B6C83DE0F4EE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.517{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B138F6EF6B6E2D48C321994A4545C3D8,SHA256=9C74F2D05BA6B612873C2DB165B035D8C9895946129525FB12D4916CB6A1493B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.428{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F042D0D08AAD69D90E95845EA49EBE,SHA256=6410640A43434E14D945C76D24DB70ACBCFE91FFF91DD2F612185F2318AE2143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:45.124{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000327715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:42.660{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56042-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.160{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.157{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.153{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.150{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:45.148{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000327722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:46.639{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786B697E412E11942D8C106B355FBA87,SHA256=6C76C306A8DBADD3F51FBAD178612DE2F8505386E4BA14ED69001418C4CDAC4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:44.601{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62109-false10.0.1.12-8000- 23542300x8000000000000000315899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:46.559{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D6E0E23CB48656EE56AAC2CD0F4C3D,SHA256=A8C1196F71DD96F5D8F1A1D5FFBF9D4324050753C77C7F48D660E05050254DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.456{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56044-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000327720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:43.856{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56043-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:47.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760D4118915F38490632B4A21B6893B,SHA256=78090BD784998B3365B0F24E73D132626EC41C7036C930F67DC9DC0B368F26BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.935{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.932{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.928{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.927{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.924{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.921{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.917{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.913{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.907{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.903{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.900{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.885{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.858{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.851{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.836{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.806{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.797{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.784{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.777{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.776{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.773{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.770{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.767{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.766{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.762{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.759{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000315906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.674{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7788F61A3DE6493A47F7EF2E7543B,SHA256=E194467E58FDF17689E990A1145BD481C255F65303CAD8E88D18914F6D607DEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:44.939{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56045-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000315905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.252{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.250{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.234{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.233{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 10341000x8000000000000000315901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:47.227{D25361F1-D530-6305-4001-000000007502}40325448C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001CFD4190) 23542300x8000000000000000327725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:48.854{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139C50FE73DA0A401301126130F5A5B6,SHA256=3D76EBC4E247888D62722018FE2B6A5879D046AB7E6CF32ACABC30893F05528D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:48.774{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE49920B5750EBEE25010AB2C749835,SHA256=F67AD76A4A8B3FC20805795401296817A1A74370C2D31974BC2A914AA43AF689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.972{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F75921C61AA6646492B4222EE9BD12,SHA256=48C7657FE9F6E50650E2FB2E7FF8982B694152720D159C85367812CA4BC56408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:49.873{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389DB72F9E617A34DE94D8E8A59E9CCA,SHA256=81D5F9D7182D2BC9B684145D3D53069167F1AD339F92B2853E10F6CD2E74C633,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:47.154{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56046-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000327729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.450{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56047-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000327728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:51.106{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09DF5273F391F5265DDAB63C8DD1EAC,SHA256=0935504402159607DADFDEFF17B615C4982620A122A056B29AD7D273E8864798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:51.010{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE02264E11B907B39DC5CD42961A2E2,SHA256=C35EEC3697CE9D7C41A463A685572679CD05F2F07CF3F15323735F503FCABC51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:49.885{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56048-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000327730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:52.252{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E27758FD755C92578002A1841BD7FC,SHA256=DCD211917A826A06F788E53D72B338FD51255503376C5CB4B605679C9CC7842F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:50.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62113-false10.0.1.12-8000- 23542300x8000000000000000315936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:52.125{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C537EE54122E2D58BBD94EAAF2B5E,SHA256=084CBF46EBBEE943B43E87CE2F6D0F7E211C1A30CF06C475C9828E15CF962EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7BF223B805298F89AA9F58FEC6F4E5,SHA256=A2FA03D4F6D5A519F6C947BCFAF1429677A64B4E684F4EBDC289180A9209D26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B04EDBB9161E72FE58253C741403B3DB,SHA256=DCFCC2900B44BE9104816191827C0AD2D1B10AD43F0035E228DDB623BC6D5EB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000327787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.320{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000327786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.305{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000327785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.305{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000315938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:53.155{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9640ACC85BB9C09DFE69275CA96CA679,SHA256=28BC79AD3B2171E6AAE4EB78DB145E88AD43BB7BD549CF1016C4DC298BE45B64,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000327784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.152{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000327764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000327763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000327750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000327748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000327745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000327737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.136{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.137{F6DB49F2-FD29-6305-5E06-000000007602}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000327792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:54.389{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D664C9248394A0E1D6B185B0D684EC0F,SHA256=0F0D2F06E9EA2067F2CB17ED96147C79BFBC4F89487FFFBF56833A87D108342F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000327791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:51.652{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56049-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000315939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:54.188{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215EE900476B5C8B20CFD19DC4A81AF8,SHA256=2117B93BA295918E92039BCA4F96EDC00F5B586477D1F0ABEB03126CF968DA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:54.223{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C828CE18BC4CC565819B3B7591D01C,SHA256=6F7B7E13A819B358DDF7BEB69C8DFF59345BCEAA2906165589FA72E87F410602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:55.388{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B090AC5602456D6548473E06DF6F9CD,SHA256=61D4B3E8896E6C3ECBFA6BFE4CB9FB81B53F3B951A41046AB379477A72603821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}28005988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000327847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.673{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000327846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.489{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000327837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000327824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000327822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000327810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000327807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000327804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.473{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.468{F6DB49F2-FD2B-6305-5F06-000000007602}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000327793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:55.389{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D965168FECCAA389852CFDB719D6082,SHA256=C2B7276A9EC76CD7554270BCC6BA7ADD4C6DC4C7BAF52385F3B99FA22B7CA55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000327964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.539{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E23B65B5BE5B6CDE57B368C78B55333,SHA256=C3736EE18D62F8E20A6E36EC1EE90F49FAA26793BFDECFB55CF37947593AA750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.987{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.987{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000315942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.789{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9ABDA4CEA7353E3F0AF507F210B6333F,SHA256=26847555ECB320B0EA1EB7702209E50E73331693DCB65AA1BADF0F7B8861369F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.488{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC4AD9D3BEF65EFF914CB4BD707FDCC,SHA256=D2EFBAFBC76BBCE59FF36B0E9E52EFEE1B9411E01A2918A9ED29CC8AE34B392A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.380{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.378{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.375{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.373{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.371{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.369{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.366{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.359{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.355{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.352{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.343{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 354300x8000000000000000327952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:53.935{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56050-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000327951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.319{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.319{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000327949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.316{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000327947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.314{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000327944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.301{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.288{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.256{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.245{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000327939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.234{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB7166A995FAED43D55173CB90A872C,SHA256=38D16D7AEEA5A01FB6501012ED6A1E7A3A7A9900F161C6157E7F12CDD5FD47EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.225{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000327936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.224{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE8C7F4BF24B59FBFCF3E2F71E76503,SHA256=E20711E19C5B235351DEE75ADD348B4B4DA82624AAC4FD0C47F4104EE73B11CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.164{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000327933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.164{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000327932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.163{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000327931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.162{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000327930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.161{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000327929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.160{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000327928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.160{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000327927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.159{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000327926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000327925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000327924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000327923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.152{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000327922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000327921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000327920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000327918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000327917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000327916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.150{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000327914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000327907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.149{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000327905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000327903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.148{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000327900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 10341000x8000000000000000327899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000327897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.147{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000327896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.146{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000327893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.145{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000327889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000327888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.144{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000327883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.143{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.142{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.136{F6DB49F2-FD2C-6305-6006-000000007602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000327874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.139{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.137{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.132{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.123{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.097{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.092{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000327860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.088{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ADB04196883FEF4C490317D75F583F8F,SHA256=FAF6C8A9714ABDBE7995158653F600DA6B789856BFC6DA4B1C6BD0852E74E0AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000327859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.086{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.080{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.071{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.050{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.046{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.037{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.026{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.012{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.004{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000327850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.000{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000315946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:57.607{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A814D5AB940498FAF72D223CC2EFB6,SHA256=B766AD1ED7C3D0B56C3DD28683C44453EDB4B045952EDDBDA4B2BBAA6F9EDE75,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.828{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.828{F6DB49F2-FD2D-6305-6106-000000007602}24685116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.820{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.819{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000328025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.799{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.799{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.799{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.798{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.798{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.798{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000328019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.669{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2BED8E2A79F03E4968C4A9C7D524F30,SHA256=619AB3A69F6724DE096EBDFF956E2211B1CFEFDFA727E2C4312335A20A35BD68,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.652{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000327999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000327998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000327997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000327996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000327995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000327994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000327993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000327992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000327991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000327990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000327989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000327988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000327987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000327986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000327985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000327984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000327983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000327982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000327980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000327979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000327978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000327976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000327975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000327967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.636{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000327966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:57.637{F6DB49F2-FD2D-6305-6106-000000007602}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000327965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:54.968{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56051-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000315947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:58.710{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AB7509881D1DB1619AA86BC648ADF2,SHA256=33974440D351CB0F1FA6EE654CF0091C94A85B52AF0B4B93E417E43A5DF3903B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.974{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.974{F6DB49F2-FD2E-6305-6306-000000007602}9601956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.974{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.974{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000328141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.854{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.853{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.853{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.852{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.850{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.850{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.850{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.849{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.843{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.843{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.843{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.841{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.841{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.840{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.839{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.839{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.839{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.839{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.837{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.837{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.836{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.836{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.836{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.835{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.835{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.835{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.835{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.835{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.834{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.834{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.832{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.831{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.831{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.830{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.830{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000328101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.827{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.826{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.822{F6DB49F2-FD2E-6305-6306-000000007602}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000328089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.689{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5942451BE76791DE9BC064D92A56CA,SHA256=32E9CB74F11570D184AAE3BB50EB0602E019A7EC9C607503C07B8D36336DB725,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:56.210{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56052-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000328087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.337{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000328086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.337{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.337{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000328084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.252{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F501A34D19960C0806E4BA81BD52AE1C,SHA256=006732BAB21A04BFAE3E5331495D0E37F64497D24366FA766C9C4BB01675F6E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.174{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.173{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.173{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.173{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.173{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000328068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000328051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000328047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000328044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000328039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.160{F6DB49F2-FD2E-6305-6206-000000007602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000328030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.157{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8217CF8D3C73736EDB61A2ADC531C6,SHA256=58BECC8352E91547700A3E9D251A130041DC5E4AF0A59ECF49C354B2E0292F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.926{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2510A5B3CEA8F76524AA552A2A09440,SHA256=809A19CEDB572EE9245C3644B9DE1C00E4F25FD0C287D31B325E9C5BEB8F6E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.923{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56264B00813E2B7290D88166BB95FBB,SHA256=42A4A6583D06F9CC7A47AA81028E2B3C9277E810F415BBE970303B20B4C7D34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.923{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB52863E86185940A1E461B280DDEF9,SHA256=453277BC9C2D74176FBA61069854EE35E0EAF682A66958F0CD5A46985B3930CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:59.830{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F36A2CA85D5737FFA6EA47D9D16C42,SHA256=2537E1C961D11E780C21C8DF2CE8D49B1DD41DEFB9CF5795731A7E5244FDB130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:27:56.568{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62117-false10.0.1.12-8000- 734700x8000000000000000328201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.652{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.652{F6DB49F2-FD2F-6305-6406-000000007602}23004616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.652{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.652{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000328197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.520{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000328155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:59.505{F6DB49F2-FD2F-6305-6406-000000007602}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000328205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:27:58.504{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56053-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:01.037{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6891BDFD5633D7B8C5B62D9149FC95D4,SHA256=3BBF8EF46789D2C99C234F426E30B69CFABCE0B256C93F747995CEEB294B1E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:01.076{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E811A2B14CAEA1D12F7D01FD853E265C,SHA256=0540EAE1CDE5D784ECB79EE2AF017F1AE4459C1B3E9E46A05ED9201F5A868AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:02.193{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9840160269CC8A3B7663BDDFFA4A62E7,SHA256=44CC66C492391A445BAAE07D450924B1699126251B8704BB94E81D3A85DF60B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:00.883{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56055-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:00.777{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56054-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:02.137{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2555B2E7CF85C7223AA303807624ACCD,SHA256=9D25BD464FCF14268B1A1E7C5A3E3824CE5DC5EE1AB7A3DA0B1A72B0C293EB3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000315953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:01.621{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62120-false10.0.1.12-8000- 23542300x8000000000000000315952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:03.315{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9326CAD86552304545B529FAA90EC4C8,SHA256=E4AB8613BF716DC0C00D4C160144DF8A8D94545F6D86D3AD5D2516F1589F471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:03.253{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78004BE2F3AE77786280A0FF3C2FFBE5,SHA256=1F6BACD35429774EBA34DCCCB4D69450F69A9E00CD34F942957B7DDD164D8C6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.676{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.669{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.666{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.664{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.662{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.637{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.631{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.619{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.613{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.604{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.594{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.584{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.571{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.562{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.551{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000315957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.548{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883582DF34C45CF2A1275BAFA648C43A,SHA256=1037C74102C56A49279A3E1EB5EF857C833BF7ACBFFF551E900B4B9C59AF6186,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:02.974{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56056-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:04.353{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4806EDBD91336DB17F17244213F1EC9,SHA256=A6A052F052D759D4BDF3A6CB903409D10168376D1CB1FFBA82B1F2039EAF49BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.535{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.478{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:04.475{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 734700x8000000000000000315994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000315993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000315992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000315991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000315990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.995{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000315989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.995{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000315988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.994{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000315987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.992{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000315986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.992{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000315985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000315984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.976{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000315979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.977{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000315978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.600{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061A6804FAB4B41ED7D96A2525A0B0B,SHA256=30D8E39E35004B1F97AE45A5511A42026763451DC66A59EF38579FF0B6B1B4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:05.452{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDAEB97AD93436C8D1C2F6CD6DE692B,SHA256=5CD7B6924F0B5B924BC300943C0FC42E888D2CAEA149C5CE1948CAE9ADF4B42D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000315977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.077{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.075{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.071{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.067{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000315973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.065{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000328214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:06.554{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D06967F5ACE1A20FE22787FFD0E75C,SHA256=491078909A94A87F28AB2881B80955D826AD7CF4416D10D0ECC62D14B0AFD0F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.863{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.863{D25361F1-FD36-6305-1006-000000007502}59283888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.863{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.863{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.697{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.697{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.696{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.695{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.679{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000316037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.664{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.665{D25361F1-FD36-6305-1006-000000007502}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.419{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=48B91E96264083BD0EE7799217FAA2F1,SHA256=E46D6C7A6729283ACEA1B2272F440B869C04AC4CDB08F92BBDD4E5AF30A91C4F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.178{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.164{D25361F1-FD35-6305-0F06-000000007502}42485624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.164{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:06.164{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000315999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000315998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000315997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.998{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000315996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000315995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:05.997{D25361F1-FD35-6305-0F06-000000007502}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 23542300x8000000000000000328217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:07.672{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E78176774C13BA6493C0D7DC891234,SHA256=798D6C9705FBD71A703FCE71DC4EAB2F9E96B86A560D6C0411890CE9234A5656,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000316181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.980{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.981{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000316174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.786{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.785{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.784{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.784{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.782{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.780{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.777{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.774{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.769{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.766{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.764{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000316163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CB26BA9FCEFF3734131CB65300E800,SHA256=E74E518D52A34272D281994088D84E63C938C793C53D0429686DD9ED8378489B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.757{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.730{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.716{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.703{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.683{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.676{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.669{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.663{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.662{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.659{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.657{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.654{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.653{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.650{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.649{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.545{D25361F1-FD37-6305-1106-000000007502}42125536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.545{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.545{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000316144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.493{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.493{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.493{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.492{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.492{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.492{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000316138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.427{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CBE6CCC05BA5408E8BB371F6958A03,SHA256=2015A8C340FBE2353BFB1FECD0A58B47025CDC4C3F181F93619E284BD9F9BC9B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.331{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000316101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000316096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.316{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000328216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:06.015{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56058-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:05.173{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56057-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 154100x8000000000000000316090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.317{D25361F1-FD37-6305-1106-000000007502}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000316089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.141{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.139{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000316087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.127{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028F5392FA3279A0D66600EC86B3E171,SHA256=5C3679A7A37CA56CC81DC93593BCC5831FB97C39CAB389AAAC1E7356472CD556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.124{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.122{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000316084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.116{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000316083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.062{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F20468D9BABA64703F22E69D98A3B116,SHA256=83ADCC50BE740048377203B748E0549F1AA6921D535338726362B7AD401A5972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.964{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C6808FC4E3BF66E4A4F9D32EBE67A4,SHA256=B77472FCF5A72E89D9C0121E9B5DA07EF6F0BFB04897EF57E3A4B94F01C22538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.964{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D751AAFA1263364FC7C6BFB1F1FD4F,SHA256=1AD24A958B1A4F1B8B1BD500A62FD086DE9FC1236565E462B48694034C08F3A2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.817{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.817{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.817{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000328218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:08.753{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B216B9E134CEDEC83801EB142EBD5DD,SHA256=4B5712B727679A28D1047D505BD2CF98BCD3BA7232430608079EC5F6966D7F53,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000316270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.664{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000316250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000316248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000316246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000316239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000316234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.648{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.649{D25361F1-FD38-6305-1306-000000007502}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.298{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA20CC440578662889D089DD7FDF3BB,SHA256=0F11081DADF4F29599B6CA04C51A2775AF50243AA1C835596D21782FF8BCB083,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.133{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.133{D25361F1-FD37-6305-1206-000000007502}19324812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.133{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.133{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000316222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.032{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C99E18FB1E66BEBC40DC3D8D31233FC,SHA256=ED0C71EF58CE9EED87179A7CE8CC406349C106DEC25F1EEFBE847501D07069DF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.001{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.001{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.001{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.001{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.000{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.000{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:08.000{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.999{D25361F1-FD37-6305-1206-000000007502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000328220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:09.870{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B73CE19D34F7EA4AA462F46638B7BE,SHA256=6D5243DC93E394DAE5125CE3CCBB8A607B2A025E04FD4D3D36168075C11A33F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:07.373{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56059-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000316335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.516{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.516{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.516{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.364{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.348{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000316297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000316291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.332{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.333{D25361F1-FD39-6305-1406-000000007502}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000328221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:10.871{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378631A7F077D99C4B8705F62F3B86F6,SHA256=1596804EBB3AE7696FAAB54723B6A97F35DAEB096A6756485B1C6743BBEC0AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:10.097{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01F2D673A80628FDF3186B52BC0ACF2,SHA256=7871641BB0FFD9049AD9881C9173EB1AB9504F099ADCDA040DBB70B955C717C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:07.547{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62124-false10.0.1.12-8000- 734700x8000000000000000316391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.464{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.464{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.464{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.233{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000316373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000316352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000316347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.217{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.218{D25361F1-FD3B-6305-1506-000000007502}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:11.180{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F7527E401924F0B95182B73FF46854,SHA256=8FC9D7FD7845FD37F02BCD1B7EBD8F9FD96AEFBD34285EFD6E91EC0974BE29D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.357{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62126-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000316338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:09.357{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62126-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 23542300x8000000000000000316393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:12.348{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659E6CE6C1A9BEBD5C1EF86CFA6CF08D,SHA256=6763B8763D9054AD705E86773357C2D0F7FC948955D57ECEC2179BEEC6290BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:12.266{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9791BBA3019C668783EEC40F123DD6CD,SHA256=981F5807CC1F4670EF1694A05AD441FBF54A673E9A4FBF82F681E438A0311B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:09.589{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56060-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:12.004{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007AD393FFB8B382D12A38C67728C244,SHA256=37AA167338AF77446CC4392BB7C7E2517A267404AAAF33F42BF68B2258F1B14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:13.380{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69AE155D1BDF11C7242C1BEBEFD6B0B,SHA256=BD2C1D107E6F2BD98EE6A938BDCF16113160C4710F1E0589A2B298DB0D18FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:13.124{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC0C3EAE2958097275EEFFD76A4B928,SHA256=71DA13A44F35CE0F167124372FC5972C451224C3535A5DDB4AAAC5A0D187B65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:14.497{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B3EC468D7653410B8EC3164C8EC211,SHA256=D587593EA79FA6671B5188121D50A0468E144B276AD3D5696BCC608132AA809C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:11.933{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56062-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:11.888{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56061-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:14.225{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84139DBB8EBD239EEBA2DC6B2092049D,SHA256=7CCE719A24E5E6F066E105542DEF5455EE1A1FF3C2BF8E221F32FE386F927CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:15.632{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127720A2216B0F8A98B8ACDAB46C86B2,SHA256=2771110C26E95442D1CB898142032FAD3270E916EB1906FFEB58BDB5F7F84A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:15.340{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C79B877F470C78111D99685B26C5CE,SHA256=8941E5BD896EA8E50EB90D33592BB7C7CD5D0C30BE59AE3ABB1F3240E490485F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:12.710{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62128-false10.0.1.12-8000- 23542300x8000000000000000316398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:16.749{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD043B431F56130C6213D1535B6D8297,SHA256=492D1BD16C115ADE6805BEBFF91CE1AC32C471B215BBD4188CEA8B9535E2091B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.609{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9008476F54CEC6D1BCC6112A400054AB,SHA256=FBCD224D854A7CFB90D2B3AFCEBD198F46A050B5CD1E94C5889F898F622A2DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.312{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.307{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.303{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.300{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000328275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:14.177{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56063-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000328274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.294{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.279{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.263{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.240{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.237{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.235{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.234{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.219{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.205{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.180{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.173{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.166{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.163{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.159{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.155{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.153{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.152{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.147{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.134{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.129{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.124{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.122{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.096{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.083{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.077{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.069{F6DB49F2-D1B7-6305-CA00-000000007602}48603728C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000328235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.046{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.041{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.034{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.026{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.016{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.008{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000328229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000328281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:17.772{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A175CD25734ACE3FFE97AE595078E96,SHA256=1AF8A422A2741D6AA14EF55085D105E9FF836ED4CED5AAFDFB139321556E52A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:17.851{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BC54FE6A72BE4FEEE648CD79DC5F97,SHA256=327F108801A3DBDACE14A20AC20E25C1BE47EC36567879C916131376236F5EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:18.865{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA571DCF94040905DE1C0501FD0F983,SHA256=2BC53E633B9C21F833A4444D43AC966D46D24E910CE2335281492CA42556BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:18.854{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD045B8BC45AAC94C25231C199B5AAD,SHA256=84B1D6D986768361B774D0908EC7B1CF41A7E5643B20046C73AFFB4B4F7F96B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:16.457{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56064-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000316401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:19.972{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1A2B58544C1B48B5C23A2B6F5E45AF,SHA256=235A721184C3BEC5A53806D20183DFCBD04062D2A9D47DF9638484FD9346760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:19.872{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B1F41B06049388A77054929BCA3780,SHA256=18FB69E81A41A25ED0F39502F804C2F328AEC66DE19CBF7B18889A56C8C88F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:17.870{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56065-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:20.972{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F494A7AB9F60423D3A0B41C3433308,SHA256=28D25CE5CE2C97296A156B3938ED403ED7EA37573971133A41DCA537D8964C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:18.697{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62132-false10.0.1.12-8000- 354300x8000000000000000328286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:18.753{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56066-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000316404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:21.103{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A6312BEE2A7C19031A5A1BB1DAFA68,SHA256=2420C20F4F2CC48012C93F30728701C2A2E1D52F5806022832C22F537BC41BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:21.035{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:22.119{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6907AABA5EC577A821309D7E71FFAC1E,SHA256=EEF7357A56363C23DA71958EBF222222D9522070E06815A2ABB1A8F47CAD800B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:22.012{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA3F8ECBB951BF6DC5E1D7F29F14B53,SHA256=AE51C04E341E0DE9F7719C50329CE50CEB1956BD2AF4B1E4010D9ABB4A4939F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:20.497{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62134-false10.0.1.12-8089- 23542300x8000000000000000316406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:23.145{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED388E49D45102B9D7CA2E39346B057F,SHA256=05CE3A66795B6F4387CA450123ACD9C16B56FB61768D45310B0551CD6EB8F302,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:21.025{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56067-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:23.127{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB0A96D45D8979D682A55076A4EED2B,SHA256=527471B050BDDBC2FBDE554421AB2DCB56AA1690E6F4B2D1856F869D500880E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.758{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.752{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.749{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.747{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.745{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.701{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.695{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.675{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.669{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.661{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.644{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.627{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.612{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.602{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.590{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.582{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.500{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.495{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.251{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BF0CD600FD9B869EAD49AB3BB94FB4,SHA256=CD7CD43FE834546AC9714F024E42F942C7D2CDBC921EFCC4978F3852170E2C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:22.873{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56068-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:24.228{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EA61567B0ACE4D4B020E6242977324,SHA256=1BD7A0E4452BEC4F62C6E8BCC7B4C23A83774487D8DC7845EFE51A13B3454D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.306{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5510CED2049281D646D5D1F9217FE245,SHA256=F3A476EE8F40FF92BBA6D5AC80137139E2D710011D584C5A0D9FE10727BBC8EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:23.295{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56069-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:25.412{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5E8320D0DEA079BBD5CE2553FB1DE077,SHA256=37DDAD734C1C2D17DB70FA16FA00CAC03CEF51FE653552807F84CB477E287451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:25.358{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C63857FDCCA612AF9A3DA1A2237BFA,SHA256=B1A51A35E86DB4092482FE7A26A257B86F9F3B56088CCC86DC66629F7E1D6EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.176{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.175{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.171{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.167{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:25.166{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 734700x8000000000000000316440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.764{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000316439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.764{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000316438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.763{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000316437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.759{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000316436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.759{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000316435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.759{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000316434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.758{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000316433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:26.403{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3532E54453E54241199002056CCE79,SHA256=CB26462CFF063F5198EE01B813C63D10F8D6A1A5CC9C92C98BD7475F95CA861A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:26.375{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48706FBA820890E7F6A83EA2DA89C358,SHA256=C3226C313968AF3D48EEA481545B0FDB8D56C2FBE3B7F41CD07C22F72015B5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.912{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.910{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.907{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.907{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.903{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.895{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.892{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.890{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.887{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.884{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.882{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.876{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.846{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.836{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.824{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.796{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.784{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.777{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.772{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.770{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.765{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.763{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.760{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.759{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.757{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.756{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.508{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5CE5C9FCEC9F5DE8E97A36A8497C55,SHA256=B451ACE1DA7241B26BA24534F24819D5AA85ADB2AA0B1C5702750D95CE7BB339,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:25.578{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56070-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:27.479{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61CFA4D8810751ED6815068F5D40B11,SHA256=40AF1FAAF395D417720906D5B6396273BDCD76235BFAEBB3DF08421E51F6CA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:24.647{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62137-false10.0.1.12-8000- 10341000x8000000000000000316445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.249{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.248{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.231{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.230{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:27.224{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:28.607{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42AF7282FC06167757024D21D39089E,SHA256=D6E565CC7F33A95947AEC0D15A8CCBA08D53F5555E3FD41F88F7840513F1FBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:28.596{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF842B8CA0DEDE380FA2C38E4C3A6DC,SHA256=5CD8FD1C0FDD0BE7CDEE2D7AF898FF9396FB5367CC97105A9B9704132DC776C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:29.738{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297FD83D4240EEE6314DE96A6620E74F,SHA256=E6C94E34CA8215160FEEC9544894F5F3859A61C35CD61107B0CF572D7B533CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:27.887{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56072-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:27.777{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56071-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:29.642{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5916DE490ED7C06B40598F195B3717D9,SHA256=DFBDB18E317B27AFF264FC8A1397D6E51CA91A76E951D52D045A644ACF09DEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:30.823{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3447E23CDC9AC2F35FC9F84910EEA30B,SHA256=D4F29BCCCD3D59B2481FC8F09A74CC59308DC5ECD702381F169B24592910E04F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:30.727{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190C04E85EF4154D80132A8206BBFFCB,SHA256=22E1F22CAC1ECD0C2809DA93D78A872D1BE562D395D7AAAE14949C6A95A42023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:30.344{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-187MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:31.922{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA7960CBCA6F3F3AD9C3FFDDFF4122F,SHA256=DAEE62E371AD351F2BB79C25F345A9A7EBE979400F4E8DBA84E11ED013A49989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:31.842{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39864D28FEB44AF1C6E1735B2EBD60F,SHA256=5784067C74AB6E5E53D455FDB21D6697DFFA9B018D5AB9DD7162444C117436CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:31.343{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-188MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:32.976{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AFF8F9C55E6A76464B5D474AAF4A6,SHA256=01A9866AAEE7FF21EA26AA85CF981386BF42AAA557D9753BDACD546719C3378D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:29.978{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56073-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:33.975{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CF33E18C252752B8D1F9C1C1889F6B,SHA256=48855168794015BF7CE622E33104CEF26B34C83317827C7305FC359DC8F84355,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:30.578{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62141-false10.0.1.12-8000- 23542300x8000000000000000316478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:33.003{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0023C2D9977A862CA2B621C14934F15D,SHA256=BF1FED39543D8B046625022B58921B11CBFF906162A986285F167FFA9BFFB31C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:34.101{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D22485E90D57177FEBD8B37789A9E36,SHA256=4B9610E77A09128CCD22C34F0193DA8F7CF6E46254F4F6E8C5DAE06482597E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:32.179{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56074-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000316481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:35.221{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137B8C7C1EF1D87408D262E5A0E8F66A,SHA256=D4250AE9D44B4A29DC48E0227F10EB86575EB2331E75F7504131FCFA39D02E87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:35.995{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000328312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:33.886{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56075-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:35.076{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D956CFF28860F3617A95BFEEA5EC8189,SHA256=2AFFEA50A34041703170F7414BBCF5F674E2A9A359D3B23749424F02182F66D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:36.336{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A4B2D6715FB5932BA581CBB5155DEC,SHA256=889D672335CD0E8CC117A323248EAEC60E16A6E2C08076E8D9D90E506421ECE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:34.478{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56076-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000328363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.300{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.285{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.282{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.279{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.276{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.273{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.261{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.243{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.242{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.240{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.229{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.187{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000328344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.179{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB2E827E6889418BDBE42522958AC38,SHA256=A20E1EB2D32AECFCF7B5C02D67ADAFDB12F22C1FAF7F6307D3AAE16085298577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.178{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.170{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.168{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.157{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.133{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.127{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.121{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.099{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.094{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.088{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.081{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.073{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.045{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.039{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.033{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.022{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.006{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000328314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:35.998{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000316484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:35.598{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62145-false10.0.1.12-8000- 23542300x8000000000000000316483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:37.453{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DCBDB92807A491F9E94063CBB66B3A,SHA256=1971BC27F6380A80A3056B47F91B5E055D738E517CB70387419F07959EED8AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:37.528{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF62120AD8C45B260265F5262F9023D4,SHA256=80FCAA9B55666C816FCCCC8CED53A9249886D7F888FEF1E7BD507DD165D11957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:38.587{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1707D2B4782CFA45907DF8318446C26,SHA256=0F89665F84B851EE36EDC02D01AEF49B9FB8AB9F5E643D694EBCFF2E936C0C90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:36.742{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56077-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.560{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58EDF4278C9E57FACB3ACC24D7082E7,SHA256=B77D48C8A8A1763E300411A611D049D29C8568396EBA47C29DDFB30AFB46FABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:38.224{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34B573C73D3ECD5F6EF338D35B7EF0D8,SHA256=179A25E2188307EB29658480B4EA17115507A34423FB1BE4FDAFE70472CFBA18,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.347{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000328371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.346{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000328370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.345{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000328369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.342{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000328368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.341{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000328367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.341{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000328366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.339{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000316487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:39.824{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1CEEE813BDF9B3C730E0BA953A91C8,SHA256=A17AE09358BEA6332EA9547FCDEE6AD7F82BD37065833E3BFE6ED29B01B0FE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:39.658{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4276A884F0E7A18821712FAD4C2563C,SHA256=C64AD23F67A4DC386FB23C74BDDC7EADE4A9BFF9DA5EB49740F241E0ED78B959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:40.955{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D681DFE0D80175A8036CED99C7D5A23D,SHA256=9584AD6C3C6CDEDA5A0ADC2CC1C2330355132F2418B719AE80F03968738CC3EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:38.926{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56078-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:40.758{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7433BD21DBBA7337F3917CE463835FEE,SHA256=2C372017EECF0D09BCEBB998D6858DAA5378E8A60F4C3792F4DA514A02C09B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:41.857{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F4078AD666432090B5E43281E32D55,SHA256=9C6CF853D29F2BC025B707F5CD086E519BF8AB1EBDAFF9698D7C5B2B672633C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:41.604{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=172A47C72BB578B0246622DE90D76EA5,SHA256=F07745DC2CBF66A5616FB470BEF73F981C220D4425E336A8BC05CD98929123CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:42.994{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3ED22DC4DF495EC6F1DF1D927026161,SHA256=0CF86F8AFA10B78FAC908C9E2558A052E9E1A00070485585D85C7963FEE451EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:42.041{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FDD7D8F231FA247EDB0BA789F57EC6,SHA256=0239852A56394AA847CB486DEBC364E453E78F360E778067B04678473DC13B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:42.028{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-187MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000328388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000328387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b16db1) 13241300x8000000000000000328386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b79b-0xe638d1d0) 13241300x8000000000000000328385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a4-0x47fd39d0) 13241300x8000000000000000328384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7ac-0xa9c1a1d0) 13241300x8000000000000000328383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000328382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b16db1) 13241300x8000000000000000328381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b79b-0xe638d1d0) 13241300x8000000000000000328380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a4-0x47fd39d0) 13241300x8000000000000000328379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:28:42.472{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7ac-0xa9c1a1d0) 354300x8000000000000000316494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:41.581{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62149-false10.0.1.12-8000- 23542300x8000000000000000316493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:43.156{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D3DADCF4CB1EBDB7C1E5225E8E473A,SHA256=FE6780930CD9D6A93BD1FBAEF09C9EC9EE818C733DF4691A22DB74737829DFA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:39.857{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56079-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:43.025{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FF4A6BA752A5B968B4606079C2C0A517,SHA256=4E1947D10BA3C5891CBBC5349B1BBC37672C1913CCCC03793273819DD62E5E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:43.026{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-188MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.647{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.641{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.639{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.637{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.636{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.614{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.607{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.594{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.589{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.583{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.575{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.568{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.558{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.549{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.536{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.525{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.474{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.471{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:44.273{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5022F0D427B2CE920ECEAC3433167672,SHA256=B1DCE49647C10D1D3E756DEF6A45849AB2D2B9D04922194790982CE5E45A9BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:44.740{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:41.109{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56080-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:44.093{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637A180974AB0F02C9DB55B22EB11E02,SHA256=7F3EAE2C7529A15A75E692154DF128C0A61FC1D7E1C2F6561A5B3E9B09291BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.310{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E87DD99A4013A13638AC103CE9B138,SHA256=7ABD818ECFE2B56DA316C5B79E1268B6EB14C416440F9519C3BA704D86756179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:43.392{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56081-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:45.224{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5612BF506449F8DC65CADEA1550F1F82,SHA256=6FCCC1969DA85D3A4E2E3CB300593E2980F3FD276D1856A9C58078CAA0D26060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.091{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.089{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.085{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.082{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:45.080{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:46.441{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F6FB8A4540B44FC9F19E51056C404C,SHA256=BDE5CD9AB39A13532B5CE2CA39364EE7F3CEC4CCCB6437F1BE3F77C9472F15BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:46.339{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB53DC92A6F009757C665F59D2EE4188,SHA256=EB02BE672998BF600761BD0CB0770DAB762FBDC30548D529EFD80E7388D9E497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:44.487{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56082-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000316585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.973{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34388EC7548164B1D1D0EBF78DF254EE,SHA256=CA0C713747AF9EEB750F57140EF50B06B03A65A014034F2E3821C7CEB902769B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.869{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.866{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.865{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.864{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.862{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.859{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.856{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.853{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.850{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.846{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000328400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:47.356{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF0D6490AEFED1E86597ACBB2839F46,SHA256=6B3493986319995ECF1BEEAC8BAC1928ECEEA14EA8135FCE940756B08EE58632,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:45.017{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56083-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000316574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.845{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.837{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.796{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.781{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.768{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.763{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.763{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.763{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.762{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.761{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.740{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.730{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.711{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.705{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.703{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.701{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.697{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.694{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.692{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.689{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.688{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.572{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41081FBC6D5D8888D04A275A3096F09,SHA256=C3E8AD2E5549C9B39BD9011C14266B4CC047078090A846295B9E2280AF4623E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.170{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.168{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.151{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.149{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000316521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.142{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000316586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:48.675{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348BF7F92C5CAEDECD2F98985FDDFD40,SHA256=F94D73252108141C746CC160DB66C386E64C9A938CA18E738C6E146E9E165D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:48.440{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CFCD2E0E07DD7DE6C1687ED32B7C43,SHA256=F1DC6751C287423DF3F2F6368BD58D06016B5B4D50DCEE66FABE9E45B7A94023,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:45.591{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56084-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000316588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:47.503{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62153-false10.0.1.12-8000- 23542300x8000000000000000316587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:49.707{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5514A05BBE174E46DFF05C70DAD5D7DF,SHA256=B30CFC6A185033198DEC475745CCAB4B1EF092DE881CAF7FF20656E65FE52CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:49.440{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0DB073CDA55CE650AA1BE01718E9E5,SHA256=CC515AF76CCF3ADB7661FE192D597C41BC56AB5D3A000107AAC40FE22DCA4DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:47.775{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56085-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000316589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:50.842{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF922E806B45D31EB4F5DC2038715E1,SHA256=7DEC95B46B4676EE2D4AE855670D4B1CC1DCCB6B5A4189ADD4F443C002DC0432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:50.472{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212E84F9ABFA9856F94F4B89622CB876,SHA256=E9D97BD8FAA54CFFAB2D732BBDF3B1FD16569AAF6FBB303B11EDA8B058F6F0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:51.941{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F88E31514CC78A004D802A07E4AC99,SHA256=E327325D5BD441902BE6C8D7DEC5BFEF3B9109D9F50B48E4BE9CC52B692F95AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:51.572{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1579EAAF32F483BE7344CE5BE14A6643,SHA256=370E5AF0AA03ACE93C2089E64923CCE5B8C159CF6263860E4FA5EA5F290D3382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:52.691{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A916D34D4C9C5558F2F0437C08D2C2D,SHA256=B7887E285609AA5729F20D5E8EAB498DBDAFBC5DD68B545799BE7B6BECF83C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:49.975{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56086-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.822{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B2FDC95F39200EF05F6C445D752918,SHA256=D00F451A5226E8A72163C4F958001A1B88BE052D303263299B702886AFF8BA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.738{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A96DDF1FBDFFD22035CDEB4A0CD1580F,SHA256=2D3101AF240E617320A8AF2625B18CB2FBA33E9EF7C09B5A052B7046BBAFDD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:53.056{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C17764D27F109A8AF037D4FA9BFC15,SHA256=08C7B76DFEC4EF0F1AF4BE6B0A817F345EF8F7D8975DEEE684B08793A3813203,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.338{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000328464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.338{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.338{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000328462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:50.969{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56087-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000328461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.175{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.168{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000328428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000328417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.153{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:53.154{F6DB49F2-FD65-6305-6506-000000007602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000328470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:54.806{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D923DBA708D4D08416BE2DA87CACEC,SHA256=57C3F986401A1A4E6D77596DB247677CA3B697291C6E79861C8E1A8CE25B06A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:54.189{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB71DCB6054556F3132344875D971EF3,SHA256=FEC10845589216D53F12098619049DE673A2E8D74E4C010116F73C97F7D5550B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:52.255{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56088-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:54.224{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6445ACAE551FDA302C9A172D181F1F,SHA256=64C578125534A3B906FE8854C92583E7A62F30C2BDBDD8B392F81AA3EB52F794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:55.388{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C166C55047BACA665174ADAEA1F864,SHA256=8164E2CB9A7A9385FE90C2262B3D0CE8192A915271822E5EFE060B570764433A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.670{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000328530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.669{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.652{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000328528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.605{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14D42DC4C09410B65BC0F678E4E866F6,SHA256=FDB13498FF10273A0551CC9B5DB3A1525E06B7A579B8D56EE4DD68797F9BD0A3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.505{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000328518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000328496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000328493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000328492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000328491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000328490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000328487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000328481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.490{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.491{F6DB49F2-FD67-6305-6606-000000007602}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:56.465{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80B7B3E7FCC79E1D8BABA2BD98B14C2,SHA256=8C81FA50D5D4BD0EB162DD4159C4744C6606712DCA9DAFC1EF2E181B0F8B1E03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.356{F6DB49F2-FD68-6305-6706-000000007602}47525948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.356{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.355{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000328637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.336{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.325{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.323{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.317{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.314{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.311{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.307{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.300{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.295{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.293{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.285{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.264{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.263{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.263{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.249{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.238{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.216{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.209{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000328618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.208{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A447336B4EC058CA5E357BF541FEB0F,SHA256=5CF01BB09A02928482E719D24375658156818B0CAA6399136245770E4277C396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.200{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.188{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.185{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 23542300x8000000000000000328614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.185{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64090FED329E774584A5F2BEBE8D4779,SHA256=5C8D39A5655C372EFC367D9EB53D3FF03641664255BFAD366345776F8A784FFB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.185{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.185{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000328611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.182{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.181{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.181{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.180{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 23542300x8000000000000000328606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.180{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD73B0CC17585A3402FF02A7934FC06F,SHA256=A9534BB207519ECD842FB56528F48392CA75D8AB2B345F3737AB3A1E67426090,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.180{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.178{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.176{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.172{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.171{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.171{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.171{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.171{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 10341000x8000000000000000328597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.171{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.170{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.170{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.170{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.170{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.170{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.169{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.169{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.169{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.169{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.168{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.168{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.168{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.168{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.167{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 354300x8000000000000000316594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:52.690{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62156-false10.0.1.12-8000- 734700x8000000000000000328582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.167{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000328581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.167{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.167{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.166{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.166{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.166{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.165{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.165{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.165{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.164{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000328572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.164{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.164{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.163{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 734700x8000000000000000328569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.163{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.163{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000328567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.162{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000328558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.161{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.161{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.161{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.161{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.156{F6DB49F2-FD68-6305-6706-000000007602}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000328552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.159{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.155{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.152{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.139{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.126{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.124{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.110{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.100{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.088{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.076{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.068{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.042{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.038{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.029{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.020{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.012{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.002{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 10341000x8000000000000000328532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:55.999{F6DB49F2-D1B7-6305-CA00-000000007602}48601896C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C803D0) 23542300x8000000000000000316596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:57.558{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA776604E74739E95638B89FEA16EA18,SHA256=1F31E2A43D301292462D274FD2271FBDEAAF34CA60A59EAB568EA6AA60CBE6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.921{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA2BF973A1A8C1FF30919C5DEFBCF25,SHA256=26574E27C3212F4D47336D73234D5A8880D8E7A2F30D565ACE348E5B7555045D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.843{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000328703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.842{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.841{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000328701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.829{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.829{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.829{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.828{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.828{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000328696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.828{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000328695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.674{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.674{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.674{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.674{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.674{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.673{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.673{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000328681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000328663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000328659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000328652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.653{F6DB49F2-FD69-6305-6806-000000007602}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000328642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:54.436{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56089-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:57.306{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485B60B873F1564096F4676F267912AC,SHA256=C613E78BBD16B2BF5B9886EBC60790EBB8A0C15FDF9A3CC3082431651780D370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:58.688{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4074FA61D5A29223D390B8537BE0F095,SHA256=842E7FA41996DF0086FDAFD0DD85DC529E91BA14614198BF75F41815849E09DC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.521{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.521{F6DB49F2-FD6A-6305-6906-000000007602}47602336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.521{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.521{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000328759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.437{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918644593E6185A1F6282B264144EA9A,SHA256=B79E57F3A01A070203A35D45ED3E563092936AB0FFB3B8B2C80F8E4A4B8C1190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.605{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56090-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 734700x8000000000000000328757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.353{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000328716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.338{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.337{F6DB49F2-FD6A-6305-6906-000000007602}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:59.788{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E9DAC09558E4FF4FA35D032A0DBD9E,SHA256=2AFAE58E7A9316FA28EB33DF828EE977A424019ED0C6970A68C1EA30729A2434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.905{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC402837455EE243394768BAE2CE750,SHA256=6EF16C71F609A685F9474A25B2CDD2B1C1E9646F7807A2AF247EBDBACA38814C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.743{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.743{F6DB49F2-FD6B-6305-6B06-000000007602}50563620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.743{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.743{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000328875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.581{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.581{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.581{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.580{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.578{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.560{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000328841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000328836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000328833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.546{F6DB49F2-FD6B-6305-6B06-000000007602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000328822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.544{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EDE42199C95D39B80220C17C40C78D,SHA256=1456E8A80DEFB139052436F9F81E9120971A37F203A8EFD2791AA597DA7E2545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:56.883{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56091-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.343{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2EB98F58005E0071A83F14DF669714,SHA256=2C5D686E8A4259B616DB993CF2149BD5F08B63A9E0EFBB29B48636731C8B1A38,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000328819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.159{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000328818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.159{F6DB49F2-FD6B-6305-6A06-000000007602}47644620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.159{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000328816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.159{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000328815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000328814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000328813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000328812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000328811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000328810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000328809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000328808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.027{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000328807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000328806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000328805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000328804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000328803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000328802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000328801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000328800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000328799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000328798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000328797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000328796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000328795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000328794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000328793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000328792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000328791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000328790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000328789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000328788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000328787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000328786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000328785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000328784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000328783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000328782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000328781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000328780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000328778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000328777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000328774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000328772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000328771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000328765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.012{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000328764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:59.013{F6DB49F2-FD6B-6305-6A06-000000007602}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:00.826{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55399131D7FC4804B833F519BDCA2429,SHA256=96A637EFD484B98DDE6219664F69D46153034466C6C020B7DCFB8B49F686EBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:00.481{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9AF06BB53BC1EBADEEF6579B2FB60C,SHA256=F4AFBD3F54B85B4E018BC53A529AE92F44AD02591812E59205AB680B79FB1CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:00.074{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD31BC30FAA5D142AF41338ADD61483C,SHA256=A09DEF4EB5779BFFB5C3DA123D3C005A63648CCDEB8C90DB7D73FFC07DACBAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:01.928{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48920FAAA8751ADE9D9470C800F779BB,SHA256=1A9385B846A05728453BF8A3BD96DE642D079B913441BD9F498D6565AAEC0EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:01.516{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E258D1E66DF1CEA051084D1407E80175,SHA256=5D908FC19D832BD5ABAA9701A778BE771F07AD7356CABEA136CED7B90DFA155F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:28:58.888{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56092-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000316600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:28:58.685{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62160-false10.0.1.12-8000- 23542300x8000000000000000328885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:02.663{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EBDAC8FFDABBA332D361B9AB33143A,SHA256=A643AD5352C2ACB59BD25EA690778A8559415010E3839D1C3415D181CA58A4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:03.763{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A1B86DC9350A8723C3420BEA8A33D1,SHA256=081026664B3CB0BD4A76814C6BA0675E7AC3EB79C09B7EE4617D28829CA3079F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:03.040{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD7F823560DF5A8081F3FC9D6A4F297,SHA256=5928C02AF31C0A11CF1AFEBD7CD002E5D05B6FFFF4AE5D246387776997EAD3B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:01.082{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56093-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:04.848{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36401C2C97481F04476CE30C3BA00D46,SHA256=D85D0BB8FE7B6C31F974C8BBA561E8855A45E418608E714EB93E742FD4ECF60D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.726{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.720{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.717{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.715{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.713{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.685{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.678{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.662{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.654{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.637{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.618{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.588{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.570{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.564{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.554{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.544{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.477{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.469{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000316603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.171{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FAD2AE07416840A70F9E0B73728237,SHA256=20BB8CE60DD094A28BD0A68DA1D39A2BB502619C7101AB139E82CD6E134E740D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:02.876{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56094-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:05.954{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3E97C89B9BC3F9AB22A73ED60E1899,SHA256=75059A041CE3A249090521A2FBB9EBC614C4D2839BB56B2BD28C9D15E0F2BADC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.989{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.342{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85654A7D06A34DC6809790030E1A0650,SHA256=B2124C7C5CF38770D60C6DD7ADD8ABE94375AAF9916D4DAA6EE455367A722057,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:03.283{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56095-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000316626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.150{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.149{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.143{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.139{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.137{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.763{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.763{D25361F1-FD72-6305-1706-000000007502}41766872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.763{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.763{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.609{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.608{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.608{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.607{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.605{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.605{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.605{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.589{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000316695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.576{D25361F1-FD72-6305-1706-000000007502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEAE96D1534C73FFFBAF7594DFB19F9,SHA256=1073FAA541DAF75715CEB435F46FEAD4B600FF9568ABBE65B13FA0AC1F3FDF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.573{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9162DC19BA89C3BFEF250115833AE97C,SHA256=D79CE34D2E3CD22D8DC65F765D97698B11CD308EF0ED842328C3332AB0CB06D6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.175{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.175{D25361F1-FD71-6305-1606-000000007502}46085960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.175{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.175{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000316682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.107{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B6626EBF70DFD945B5AE467001552C7C,SHA256=C72D9630CDB23D4934186C2F87DAA80A47452299FCE59D40E1B20B6E8A6B9C74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.043{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.042{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.042{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.042{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.042{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000316676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.042{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000316675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.020{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.020{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.019{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.018{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.016{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.016{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.015{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.015{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.005{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.004{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:06.004{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:05.988{D25361F1-FD71-6305-1606-000000007502}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000316861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.978{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.971{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.961{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.936{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000328893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:05.563{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56096-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:07.056{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C9A56E4760D2B3AFA701E884FAFD6D,SHA256=25CB5905B02D976D867213802633CDDAFBEAFD2424BF60E7EEA67D1DB2B5BB8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.929{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.919{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.918{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.918{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.917{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000316852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.916{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.914{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.913{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.913{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 23542300x8000000000000000316848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.912{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496EC8610C5A658AADA4770710A6009A,SHA256=E3A35D3ED43F6D70CB71D8F3EF1462611A8B286F2B7F064F38F5C7C0A6E9DE31,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.912{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000316846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.909{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.908{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.904{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.888{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000316813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000316811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000316809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.873{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.874{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000316804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.747{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.740{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.737{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.733{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.727{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000316799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.473{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C0804A3F4914B3B383B0A73C3B600AF5,SHA256=17E8F38F3D490B7DF8C3719BDB2CD9D7B1D7922D7CE22B9435423E8F37E9175D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000316798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.373{D25361F1-FD73-6305-1806-000000007502}62605368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.373{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.373{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000316795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.271{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D632452232F33E13584D610EE450889,SHA256=4C3526BCA35563F71F70D44F3823F8088B5295F6083F8AD9A11DDD53C8297434,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.227{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.227{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.226{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.225{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.224{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.224{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.222{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 10341000x8000000000000000316787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.222{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.222{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.221{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.221{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.212{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.212{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.211{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.211{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.211{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.211{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.210{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.210{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.210{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.210{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.209{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.209{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.209{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.209{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.209{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.208{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.208{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.208{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.207{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.207{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.207{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.206{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.206{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.205{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.205{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.205{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.205{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000316756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.204{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.204{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.203{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000316753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.203{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000316752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.202{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.201{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.201{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000316749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.201{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.201{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.200{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.200{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.200{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.199{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.195{D25361F1-FD73-6305-1806-000000007502}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000316742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.194{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000316741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:07.108{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B2A4F0E6514D5B4B6C03B39801F6A3,SHA256=0EA85F5ADE2D2254749185284F2F9952FFA1A2B2BDAAF12ABCB11CCF0B2F93C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000316740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:04.658{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62164-false10.0.1.12-8000- 23542300x8000000000000000316935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.829{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9164EF6AC5D51DFA459067116BAE39E1,SHA256=565BB4F7186E090698B18C549C86D277B373881034578F77FC42E111BA9FE443,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.745{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.745{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.745{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000328894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:08.129{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1CF43518ECDB47A698FD7BFAE5990C,SHA256=AD2B1B6262E1C6D669A50135717383FEA80FCFBDB31B260D1634CF27E0E95E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.660{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C0144DE448AA8E22B6194B85BE16DA,SHA256=A7C860760230A68DF13318DD52D19EEE25AE4D25E9E06FE54F17807FB17B7A8F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.560{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000316921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000316898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000316896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000316895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000316894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000316893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000316890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000316885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.545{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.546{D25361F1-FD74-6305-1A06-000000007502}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.305{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB42E61529A9F9E7690A42D810817624,SHA256=2D787628D9BBCCD4B89E9D6AFE29496655DC31B72CFD363EADEC15BEA6AD4284,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.103{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000316876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.103{D25361F1-FD73-6305-1906-000000007502}51122088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.102{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.101{D25361F1-FD73-6305-1906-000000007502}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000316873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.064{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.059{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.057{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.057{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.045{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.043{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.032{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.030{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.027{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.020{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.017{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000316862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:08.003{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000328896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:07.855{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56097-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:09.227{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF89E515792FBA7D2DA4D524725E25B9,SHA256=82F28713BBCC5B1683D231D51D283DDDC446DFF98E4B23A0ED2FB0C5FDE621E8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000316986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.360{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000316985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.360{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000316984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.360{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000316983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.233{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000316982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.233{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000316981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.233{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000316980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.232{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000316979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.230{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000316978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.229{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000316977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.229{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000316976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.229{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000316975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000316974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000316973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000316972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000316971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000316970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000316969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000316968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000316966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000316965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000316964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000316963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000316962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000316961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000316960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000316959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000316958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000316957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000316956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000316955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000316954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000316953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000316952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000316951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000316950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000316949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000316948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000316947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000316942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.213{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.210{D25361F1-FD75-6305-1B06-000000007502}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000328898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:08.819{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56098-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:10.244{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E35540C5A3D3C2BCD76CEC79D084065,SHA256=B684FDEE951DA4A67A8BE15C2444BD7DA932631065DA08CC70A44760854E4FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000316987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:10.009{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70650B5AE7F070264F621143B52E430,SHA256=834C6CAB93488D5919A237948AFAF6A3CB8B02FBC902F2D7AB09FDE5FC2866C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:10.154{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56099-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:11.372{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948395234BE0F3EE6F114EAF51DB8CDD,SHA256=3765DDE4375014AFFFC7D80C1CBD930B6528BA2491E6C1E3265E8AA9D40C5602,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.344{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000317046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.328{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.328{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000317044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.369{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62167-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000317043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:09.369{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62167-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 10341000x8000000000000000317042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.172{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.172{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.171{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.171{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.171{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.171{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000317036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.127{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.127{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.127{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.127{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.127{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000317022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000317004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000317000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000316999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000316998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000316997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000316996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000316995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000316990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.112{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000316989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.107{D25361F1-FD77-6305-1C06-000000007502}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000316988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:11.108{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1CFE665903E9213C5247A40F4F713B,SHA256=EC3CDBF43C82AD7315ADE70E4EB63E3F138E692AA67A0BC6B49D45AFAE88A6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:12.488{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E0B0501FF42E97B22D4715C57A669A,SHA256=59D984E2C0A01527FB4B5586806E5719299B5A1263A6F2311ECB1D9838E904F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:12.710{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E377B4747E582BD55A1AF63143B4D655,SHA256=1C6FA8C0B5ABE5F8A2AF519C746991C42A9472F010B348B78657B4008DDB9F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:12.210{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B615AA8E2BE80628FC4CC63157EBF51F,SHA256=C588CC89B95DF6CD30505353C19432CC5A696D44C05CAAEDB48E30537F65E04C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:12.354{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56100-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:13.623{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7BA4470FAB3AE5C29D040D0F31ACA4,SHA256=FD9E142E8194EEB1B4AAEEAD8FB6D50DCC4D24893EF6A1B38B627FD07351D335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:13.343{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138F22D087CCE4462AD0E7DA706F2C3B,SHA256=401A7750D416DC0E7CAA468372B5577A07778A65CC339951FB7E86063B3AADDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:10.605{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62169-false10.0.1.12-8000- 23542300x8000000000000000328904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:14.754{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D30B7620B69D73CE1799EC3D4E3FCE,SHA256=A477A0BED48B2E67EEF113433C912214BECA903AD768BCF4D67E2953438F83B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:14.358{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C9B6AB09DFA13BDE6246CF30C9B896,SHA256=6D619306868BF43AB555CCEE23E26F75769503C57EFD6291F1CC518A993E3E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:15.488{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C95C0959FAFF0A8D15DC6EB3BB82089,SHA256=E43EEAFF361C588DE62557260F4CE6ADA26648F6C8D5F32AC6ABCC470AFAFE46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:15.998{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:15.996{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000328905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:15.870{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502250D47FF165554048A00AE95C53EA,SHA256=DF67277BE4481EE7CB876E9DC2B0CE2D7B2D6C51240FD744108E0C9B192968EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.969{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD5CFC9C665B8B4B14D23103D1D6BA1,SHA256=EF5572CE1B884573DF57238CA718B7D37835573031538C6F878C501311AB5BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:16.625{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB704DA563035090AA380F4B7B65C40B,SHA256=171E72E6C6996E9A20E0582825B4E1150CC413AAA9014E4F527C3FD799395A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B72F6C9BF8D2064CFA62A7E5BFAD8ED,SHA256=2672405431A9B59B3BF753E8F21D6BEF573F39A039661C0A64A3BCED323CA8FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000328955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.298{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.296{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.293{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.291{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.288{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.286{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.283{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.279{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.274{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.250{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.249{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.247{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.247{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.236{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.222{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.203{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.196{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.188{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.183{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.182{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.178{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.176{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.173{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.172{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.169{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.168{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.166{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.162{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.158{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.155{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.150{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.148{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.145{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.132{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.119{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.111{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.105{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.098{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.091{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.084{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.053{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.043{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.024{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.014{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000328908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.005{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000317055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:17.741{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654860C7E75D1217A108252520486F5F,SHA256=31E2CDFBA35E1BC91524FB83576A558B5D00754480F2A6CCF3E34B99C7F793CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:14.815{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56102-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:14.537{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56101-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000317057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:18.771{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8940C0E6FB5216C8D7DD88FF31A95B,SHA256=87CA8084B4B3E2F4D0F0284D50A469ADAFD0165F3590F245E27DC84CF1FEBA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:18.090{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657886CE482225F05D04E55BA3164847,SHA256=666268DF6F10D63FEB7250C2CBD0CF6738DC912FAB6BFE86C1B67357E88AA19C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:15.635{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62172-false10.0.1.12-8000- 23542300x8000000000000000317058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:19.841{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F8AA7C1719DB6061E0BA6223D99AB8,SHA256=2FCA91466053E8FF192A348A1F2E2FB28D3A7F8E955D8E8EA7C3C8111DB5FA8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:16.837{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56103-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:19.157{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353838025F62CEE96ED6718988D5AAA0,SHA256=75D3214732386C568A39BFC2111C420116F5661902ED608A7704A6D6190DA4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:20.956{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128BCBDA0DEA10D84175DF1832ABEC5C,SHA256=BFF46700AECDF7C7F24184F0E2FCCDF7C1D1213F6CBA7EFEBB5E1946D3FAD346,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:19.126{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56104-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:20.257{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74800272E1CA72DEDB45EFE69064CD6C,SHA256=4FB70CADE70B390B40033143B86AEF5C2EF6C38A198FBD7E686CBAC7B6737B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:19.835{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56105-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000328965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:21.375{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C2C578F970469760345089CA69C6F1,SHA256=43E0444106CD027C9D55F3C8D142ADBAFAAA9392041B38948AEAD8436939BF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:21.056{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:21.308{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56106-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:22.490{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DE06D6F11AA5B368B17A29928A3FD7,SHA256=27D1F0984C92CD515E9BDB630517238C88074EC9637233177B2D43A92863EB56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:20.518{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62176-false10.0.1.12-8089- 23542300x8000000000000000317061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:22.088{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F86499FDC733C25D6E22ACAC440867F,SHA256=954DE8F531D72A5F67B2D3ADD34C55D1EF6B7457E4B0B027D0C6D70B21E38086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:23.610{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68092F663F00FA6F483C83DF40D93CE4,SHA256=FF2991FD34EC370CBA24CB551B7B1D396A76A9CF80D57C7A2BB2B52BF0874514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:23.206{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BFD2B667C952D7919FAE0B86D1FF61,SHA256=041F0D5FF222D9CEE7DD317D8B86AAA20D657A2DFEF7E7C34DB38FD5EFB1D3BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:23.508{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56107-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000328970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:24.741{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB335AC34705BB7F161EB1141A4EEFCE,SHA256=9A4132D89164F19EBA99BF7EF490455C382F70BE43FBDAE99CB293DBD5251CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.692{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.684{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.681{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.679{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.677{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.653{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.647{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.634{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.629{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.622{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.613{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.605{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.593{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.586{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.576{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.567{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.478{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.475{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 354300x8000000000000000317065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:21.650{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62177-false10.0.1.12-8000- 23542300x8000000000000000317064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:24.405{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B656E28790B55102FB5A5A94224541,SHA256=B1622FDB1A2B6E9B90CD1C5BF790CAED9E0D8A72FF5F8D63F8CB70C68CC6A157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.550{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60AC6986761803A3F978E627FDA011D,SHA256=947F958FBA23FF980A8A9B18D8AF9E673935A2F51BDB0D0A4F844CCE44217FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:25.871{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7C2884FA2015E239DF07F0751D5EA8,SHA256=E473F4134A5E77903C73F7CE9ACFF70B20354307C47BCA090FD2503F5B1A0F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:25.809{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A85676DD8A06FD8F5BE2E455DCDCB9FF,SHA256=2ADB290628AD53F0C80C433066291E8EF3E71AECA7EF0296392204785C6B34CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.133{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.131{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.127{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.124{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:25.122{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.772{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.772{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.771{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.766{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000317096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.765{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000317095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.763{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000317094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.762{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000317093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000317092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000317091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.758{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000317090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:26.726{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F919D508750C308BE7AC26542505BCD1,SHA256=C22A4558479A2AC9D9F357803F6EF0B1D8D9E52496679D158EBA0808D70AD0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:26.872{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D1A4281EE6FBE582A5AB36E2E84AC2,SHA256=DEB7C47A2912DE6BCBF0D32FBB55F25079A719905A60D6CBD612C90A8E1D39FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.848{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.847{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.845{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.845{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.843{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.840{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.837{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.835{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.832{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.829{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.826{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.816{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0726371065684F74EAF5BE2257CEE62,SHA256=FD32D1936912A53CCB60E2CCAE590F1D49840B88F66B523F3C76D7CDAFB76491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.814{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.790{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.783{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.773{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.745{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.738{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000328975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:27.971{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276D9D93D2C5A62FA6367165B072F5C9,SHA256=D334249DADDCC9B0E3DF5E658977EEECE4AD37B5A065779185DD8A2ACBAC22BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.724{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.719{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.716{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.711{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.709{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.705{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.703{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.700{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.698{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.182{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.180{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.166{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.164{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.158{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:28.911{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09977519F738F6FA7C1131CB536249AF,SHA256=4B8100D597528B31728AA60CFB5A264D50C06E2763252A76CD39AF0E7056D506,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:25.801{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56109-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000328976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:25.691{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56108-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 13241300x8000000000000000317137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:29.543{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a4-0x64766cd0) 10341000x8000000000000000317136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:29.543{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000317135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:29.543{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000317134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:29.543{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb2247e.TMPMD5=7C93E0E6DCAB68B9BCC4A82C8177A955,SHA256=A68F241C43CB569619FD463D3B05D59F2CDDBA1A0B0BFA98F8E433A34B35189A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:27.992{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56110-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:29.071{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D897495893825DFD088A3F5773CDA1C,SHA256=E5F7575B4D2DB2C1AA9DAFC8C573811F1B66A66F94D82607B9C3600E8D6790A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:27.636{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62181-false10.0.1.12-8000- 10341000x8000000000000000317141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:30.527{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:30.527{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:30.527{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000317138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:30.008{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D989CE952180479CD7C49E3B2A95406,SHA256=5A0130561BE1FD331313D043F7DFAE4485ADBB408D3FC0F41D66C832C5761CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:30.189{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C079057CFE955423BCA3E6CD3524458,SHA256=A1EF1F0BAF302D936137FC2FDAAA1886410FF3B7DB6F0B4FD23469DDFE2DB7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:31.142{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A2F901B4AC8651140A52D92A166F51,SHA256=C4D39641C07211ED863EF6586E7896B2448366896B9C1707295FC28195A4A5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:31.874{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-188MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:31.287{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AF5000DDEC46405B7E73FBFB4827B1,SHA256=47EBE6080BBD5CC52ED357C6690B99E1F2B8EBB989CD85D5622E8580E4674641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:32.259{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BA58FFD89F02C862E3D0B9F0AF476B,SHA256=5D6C7A51A70C755C75BBB3A9F2DEC6411B140E7ADD128A5CC6297356D28B21F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:32.887{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-189MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:32.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97326833CD837C4AC21F68215DFD165,SHA256=B6707526668E83D34F154D0A202839AB9C1E9BFE5CB408FD689774B31A086C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:30.290{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56111-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000328986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:33.491{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5177F287BE8C933DD05B0097836F6F5,SHA256=1B413D9E052FC5F4159F84E95E72E248A15072FEE8B440AD60373A538636D99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:33.387{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9449A51D2E54FE6E8E221CE59BF2169,SHA256=4A39DDDB5595FF24B26438D205DAF3B83C3F12CB51F49AD85407943A497F1249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:34.607{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC1476C017304323C3F509A013F8DAD,SHA256=7243FCB18A11554EB6080DED808F7A0DE116382CA8593F4615B0C21708123D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:32.665{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62185-false10.0.1.12-8000- 23542300x8000000000000000317146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:34.488{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6A1382F07EA200877824B816C1945F,SHA256=81C909E800F5052DEE24B7D380D82B8449BA4A6B0AE0EBDB48AE37EBC0797255,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000328988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:32.489{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56113-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000328987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:31.816{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56112-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000317148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:35.606{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0943FA3EBC9B0CB48A17A74F1539409,SHA256=672B511D90C6D56A732FCFAC850078F2FF93C75FD7EA21AA446577655E1AC101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000328990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:35.738{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC36B1955445649C9C336663B08C171,SHA256=A15B59F4ED2188439E28AC6F9044057270D17902D711073CE4AE3409D86B8146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.837{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BA187E0AFA97D40DE809F6F127F9AB,SHA256=19DA05DBFB521FC1EF4D1F6F1AC827D96FFD388BA3A0AF4C7528FEE8C7D39E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:36.706{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECB19F67F06253693D0AB4F714F1FCC,SHA256=23261A81035070536D0BCB4F9A1EEB2A77412E8542BFA42CF39A086C80976C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.423{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB32A1FD05ED23EA0137907D70D2236,SHA256=F8F1E3A40FB7D9663987C909C96AE83AE2A1D006FC18BD0A0BA50B7DC425CBF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.321{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.317{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.315{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.311{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.308{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.303{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.300{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.297{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.271{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.269{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.268{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.268{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.257{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.244{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.220{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.214{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.206{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.202{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.200{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.197{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.195{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.191{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.190{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.185{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.183{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.181{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.177{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.173{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.160{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.159{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.148{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.126{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.119{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000329000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.110{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.103{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.096{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.071{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.064{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.051{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.032{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.018{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.009{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 10341000x8000000000000000328991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.006{F6DB49F2-D1B7-6305-CA00-000000007602}48604988C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C6C0190) 23542300x8000000000000000329044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:37.923{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EC338226FDF48C9CF248E1A98541C0,SHA256=7D584AB81ADF816B45144F66011CB53773113BBBAECBC86F4C845A113D138451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:37.776{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4BE7350FDCEF43308AC5C7DA67AB6D,SHA256=39505DC9FF0E26D87428166CF02F5F321838B304C9662F849385DDCB17E2F3D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:34.689{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56114-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000317150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:37.688{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DA0B40C1D2941425747BBAB3EDDAA931,SHA256=77B8FEA4515B7C1D15135E80AE03D0B2041B3F7C506D9725B5542A4A7704EC53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.359{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.359{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.359{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.347{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000329050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.346{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000329049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.345{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000329048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.343{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000329047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.342{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000329046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.341{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000329045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:38.339{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000329057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:37.815{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56116-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000329056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:36.990{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56115-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:39.023{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF590118AEBC62CF96BF481059B78C3,SHA256=AA4BC7BF7A096188BF5F5A72C802092487863E6249BE439AE66EB9E3D3F81E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:39.007{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37229B2A593F98C701C556949CC28FF,SHA256=C170711432B627E980C6E8ECB088AE3CBCC90D4CADB8FDC8DBAD687F24170C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:40.154{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABE63C7BCC95D7A056A5AF344C0742F,SHA256=250325AF4E00E55369CBABC1A6F3177EF63629EF45E34DB00EA1EA46390ED629,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:38.605{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62189-false10.0.1.12-8000- 23542300x8000000000000000317153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:40.126{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22C582C89CE04291AEA242C292D1189,SHA256=8226B0136307BA55FB66D94CB4314ED2C7123E9CE935FE9DEEF1231383952A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:41.186{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4DF7B041B136E7DF1DB9BCDA6CF58D,SHA256=E41D098B0B9F58A6CC24111C72DE23B5B5C747F3BCD8C5505F588AD06795F78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:41.605{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=86E990EB051C5F51BEDFD5942CBD839F,SHA256=287980E27D3A0C8A742799CCD46263787FDB67B7CA3D24690362484D5EA523AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:41.242{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF19E425C174C04890D8A08F2E0142C,SHA256=C8E35883687E3333C8EBFEBD94A0F91D944AEBBC893848DAEFD321284FA2B76D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:39.189{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56117-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:42.321{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EDC46DC0D266A051F68ABCD2C28453,SHA256=012EF954054FE4174CEAEC15186F9A2EB7B8E2E361202D92E90E82EB9EDC77E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:42.310{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575C6CDBF7728CAAD4DB99387FFFD549,SHA256=F0864F5F23C135106834581C49FDB2C7CEAFAA4C4086B9709C8C434E3480B5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:43.406{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B205E0E1A1BCBA5CC21F2E8E04C7A6EA,SHA256=BA3207D594CEEF54F09EDF379B6750C8118D34F4F70BE0209EAFB190AB0A54F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:41.388{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56118-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000317159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:43.560{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-188MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:43.410{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F86BC55535AE272B679F80D8B240858,SHA256=00F7614EFB55E957D2478C8B02CA5037189E5FE140187D2711F4A1230FC8DF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:43.037{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8402B5D44DCFBBD050E9709CB2DAA723,SHA256=678B563B6930BCC2B6E8F3DE7009C4C76951B73787B1F121DD22EDB820A0DFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:44.769{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:44.487{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18205E3541968E2098F82007831D2A56,SHA256=FB1607790E198B114034E1908C4B08B2F5CA0A259BAE0C37B228EBE7FAF7EE96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.743{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.726{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.723{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.720{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.714{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.680{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.670{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.652{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.644{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.627{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.610{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.599{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.589{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.578{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000317175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.560{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-189MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.551{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855C5C9312B7768170FE8F14CDD6B706,SHA256=7FD5824E13F7710FD3346FAA6ABD1A779C3883B0327817EA04F346F6B507F25E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.545{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.528{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.479{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.474{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 13241300x8000000000000000317169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000317168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b25e6a) 13241300x8000000000000000317167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b79c-0x0b3cb171) 13241300x8000000000000000317166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a4-0x6d011971) 13241300x8000000000000000317165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7ac-0xcec58171) 13241300x8000000000000000317164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000317163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b25e6a) 13241300x8000000000000000317162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8b79c-0x0b3cb171) 13241300x8000000000000000317161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8b7a4-0x6d011971) 13241300x8000000000000000317160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:29:44.373{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8b7ac-0xcec58171) 23542300x8000000000000000329069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:45.588{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C3662BFA352839D5D2B8FFBDEBB3EF,SHA256=889967CDA500C447D6642ED301A095132A6E234D0952390748A62B3ACE860169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.590{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05DA059F680B10F6DBDB13F5B4C9DD6,SHA256=ED03528D82C9ECD01A37A330B1643B20B4E7A1B80924268E9A8886ADCC00F611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:43.846{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56120-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000329067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:43.666{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56119-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000317194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.235{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.233{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.228{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.225{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:45.223{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000329072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:46.688{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E572D06ACC729B3508755CED638EB67,SHA256=6B913787C9C6AA48C8142962521A8B5D03B68FADD99029D7605EB6A7B37FC1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:46.707{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FA08D3A1813F9A13F3BBAF8AEDE42D,SHA256=E0817A8587DCFAC51494E9EC5521CBD797E8A7C9C37D2D878B23831B4F116E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:44.515{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56121-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000329070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:44.230{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:841:3acb:f5ff:fef0win-host-ctus-attack-range-538546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000329073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:47.779{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF68C456058127C22C580CC13AE9DE1E,SHA256=00DEE51AA1D4172C3A45284E10A54F563D27CFF2093DF0683C68EAE0F998B809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.904{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.903{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.902{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.902{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.900{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.898{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.895{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.892{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.887{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.884{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.883{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.876{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.859{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.852{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.843{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.825{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.818{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000317212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.811{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E8F6F13F9494154F3C75F86DC0351A,SHA256=D1A2FC8F1E64E86CF3D617B88C434D870B29A6F5924A1FD2F68A25314D06BCCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.811{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.805{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.803{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.800{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.797{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.794{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.793{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.791{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.790{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 354300x8000000000000000317202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:44.487{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62193-false10.0.1.12-8000- 10341000x8000000000000000317201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.280{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.279{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.266{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.264{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000317197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:47.259{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000329075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:48.897{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844E9FF9D68CC557686005228D1C8F74,SHA256=33DE91029A05E2C5B28F8F8BB35E7855D63BBB0416FB688D727A1C3B6E9A00FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:48.942{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102BA3F2B11AE339E318CFA17D709685,SHA256=C11F5FCFCB0316C6CB26322F9E83B2FA50225B331CE8C179064A8283BD4E9379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:45.836{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56122-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:49.997{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001696455867CDE9342191EE887DD91,SHA256=9AA41F3B90B2120FF86B4AFE301587BC9EE693A7CDE0AAEECEACC60FDB6CB219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:50.073{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610F1880C546B0D8F4B6B373A169CFBD,SHA256=E8AACEA693EEF6C43AEB1D65BCA64C53A54A058EA641A3BD079190FB9787055B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:48.131{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56123-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000329079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:49.855{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56124-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000329078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:51.116{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A854E2D332358548A2200803407DD326,SHA256=95A533E60EE10AA32CC2614A2F2DB13BF43FC71A1ABAE435693EB74FFA2D1F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:51.206{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B13D401BFCCE93CE8872F479ADFF94,SHA256=20A29A799F19D4CD7B6CA79601661F660B83DCDB93B819DB7229FFB42161F976,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:49.636{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62196-false10.0.1.12-8000- 23542300x8000000000000000317233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:52.258{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FC013C623B2FA3EBAE57450E958D2D,SHA256=50B6B28B4AD54A0884F66470013B6853CA52310E1E258CFE0BAC86FF3757A7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:52.247{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72B7D04C2A851EAB66564B578AEC6A3,SHA256=BC8E4FC33B051550F638B614EE73C5BF6558B253A66670072807F75D6DB4E2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:53.390{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AF44D78665B6524F2493C11850071D,SHA256=8201366CED512F882276AB410E269AB690394B9A8E27A232299D48B414997B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.695{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1188C4DA08BCC4D91185DB68FCADDCC,SHA256=6360178FF240EA6FC051D4F5574E340B84514E22DF620FF3261ADFA3AB12A916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.694{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C2C9B8D9D66DD063D47CE3A9BA152112,SHA256=A13A6BDD4063078952B16D7868393255A9EE2A3AF083108882AF6CBBF4A6D0A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:50.329{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56125-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000329142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.345{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.344{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.343{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000329139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.341{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.341{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.340{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000329133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.199{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.199{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.199{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.199{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.198{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.198{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.196{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.196{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000329098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000329097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000329094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000329088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.177{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:53.178{F6DB49F2-FDA1-6305-6C06-000000007602}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:54.490{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A655576F20A39916D441B37A9AADB25C,SHA256=0E76B0CF2F41D919C8643A86A1C1E58072CB3A5E581DE9B31C8124B32E847E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:52.528{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56126-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:54.351{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705D3CE93D5D413563AE1638AB48779A,SHA256=7411E9E68857D81CCBC49479931A918A0568DA5F26D3221E742386D9A8F45AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:54.278{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BA2F17D1F2A4978CC480ACBD648422,SHA256=6FA10A7749A241E7ECD4B29D057B55C2492CEE7DF60E25CFD4979F4A8EBBF2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:55.605{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C2BBBA01E41F09F61B53F0CC676B90,SHA256=9149C9EAE6E64D7CB6B19007CF81EC3752619AE40DC20D5AAD9F6AFFE21BC643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.996{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.989{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.986{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.661{F6DB49F2-FDA3-6305-6D06-000000007602}84036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.661{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.661{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000329203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.514{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000329179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000329167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000329158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.498{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.497{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.493{F6DB49F2-FDA3-6305-6D06-000000007602}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000329150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.461{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6281E667D38B0B12EF48482BE59DCC9F,SHA256=E56875E65B34FB040A2678DFCEE35FB9CF723C5AE30E4696ABF33DF5F43BDBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.214{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=67BD961D9A5924F3E567DB9FC7587359,SHA256=D5695B2E0D8AFB202ED8B449B79A75FEDFEC13835AB2D44FFEF84E01D65D0C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:56.690{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76987FFB3A2BE32993E9946C7A4BBE9,SHA256=F22EF7CCCA60741D31DF0C2EF83AFE2C44FDB03D2934AF929966CEC039EFFAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:54.812{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56127-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.502{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B94DF437A5DB9565402CC2CDB05FD9,SHA256=E17DD53DD15DCD31EA475D78ED78F8B9048F23F134B9E62C772F39DADB693585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.498{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53359C969DC0D6F1757769E3925A15ED,SHA256=0F630966F792FAFE00B03C159E1CFB56A449562F5EDCBE19DD6E0694B3F245D2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.306{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.304{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.303{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000329315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.300{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.298{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.295{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.293{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.284{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.280{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.278{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.274{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.248{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.246{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.245{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.244{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.227{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.215{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000329298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.183{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC58B69523DDC4A7BEE3D309056EE4D,SHA256=F2F7BE1DA6D8CE2AE665CC4082E4A29EF87C36AFEB12696BE88E4DB72FC9ED8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.182{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.175{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.168{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.152{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.147{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.140{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.137{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000329282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.135{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.134{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.132{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.132{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000329278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000329277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.129{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.129{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 10341000x8000000000000000329275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000329274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.129{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.128{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.122{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000329271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.122{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.121{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.121{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.121{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.120{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.120{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.120{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000329264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.120{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.120{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.119{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.118{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.118{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.118{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.118{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.117{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.116{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000329249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.116{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 734700x8000000000000000329248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.116{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000329247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.116{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.116{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000329245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.115{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000329244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.115{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.115{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000329242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.114{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.114{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.114{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000329239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.113{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.113{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.112{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000329236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000329231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.111{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.110{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.110{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.110{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.110{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.106{F6DB49F2-FDA4-6305-6E06-000000007602}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000329222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.109{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000329220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.105{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0B51724D057DD82C5E140A45A847B4,SHA256=B935AE31C34AB90839C7AC4BDC5F2D11ECCE4A33986356CA9A133225DEAC245A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.095{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.087{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.082{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.074{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.063{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.053{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.028{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.023{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.016{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:56.008{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000317239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:57.889{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835D4774CA23BFF3ACF8D7BDA9E404CA,SHA256=B2BF1C9989AC5960DC864A30E8B0FBB710338F8A075109A501F7DEB46A66E88D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.829{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000329378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.829{F6DB49F2-FDA5-6305-6F06-000000007602}33244584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.829{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.829{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000329375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.676{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000329340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000329335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.660{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.661{F6DB49F2-FDA5-6305-6F06-000000007602}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000329323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:55.825{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56128-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000329322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.546{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54FD592C838A403BA0A0AE3F1203402,SHA256=E0D70576B78079780121C36674A616FFB81135AD19213A7EB0DEE29AD37E6A6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:55.622{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62200-false10.0.1.12-8000- 734700x8000000000000000329496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.859{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 23542300x8000000000000000329480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B81598F8EBDC6FC419820ABF07ADED,SHA256=F1AC803C470ACFD6E9D9904DC23D7BCC4400D7C87EA0BC6C35A344110DDABBFE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000329460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000329453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.847{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000329443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.844{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7058AC14FDBCB2DCF4A9295022C4F8F0,SHA256=8581AC50FA63C122CE088DD576402FC9E02F1A8B3BDF608F75C3C525774BFAF6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.589{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000329441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.589{F6DB49F2-FDA6-6305-7006-000000007602}32321688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.565{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.565{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000329438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.494{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.494{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.494{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.493{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.493{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000329433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.493{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000329432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.361{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.361{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.345{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000329400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000329396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000329391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.329{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:58.330{F6DB49F2-FDA6-6305-7006-000000007602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000329586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.992{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=820A3C2025541B9981AC16378BBB8F46,SHA256=8BE0E04A43261D9C54E70E24B55D828206564E21BB25FB2AE4F1B1C085FC590B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.812{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32B119112A054396F5386B222D25BE0,SHA256=105C8128A2DD45EEE7E902FD28271B2C6706715D1E4ED674DBB4CECC4606E32A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.696{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.696{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.696{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000329581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:57.095{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56129-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000317241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:29:59.007{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9964716351036691BD1B56132BA4415,SHA256=0E7CDEECFA5864DB17C7CFD1A0202CF5600FADFEC5BA984C745BAEE56D3C25AF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.536{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.529{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.529{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.529{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.529{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.529{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000329565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.528{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.527{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.525{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.525{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.525{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.524{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000329548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.524{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.523{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.523{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.523{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000329544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.522{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.522{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.521{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.521{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.521{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.521{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000329536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.520{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.519{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.516{F6DB49F2-FDA7-6305-7206-000000007602}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000329527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.359{F6DB49F2-D01C-6305-0D00-000000007602}768800C:\Windows\system32\svchost.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000329501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.192{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B27C654C7DB1B7D50274750082E85A6,SHA256=C503A2D8B1889D4970DD052E3DD258C47E3A57E82A5AC264D2A58B2756496E53,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.028{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000329499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.028{F6DB49F2-FDA6-6305-7106-000000007602}39441968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.028{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.028{F6DB49F2-FDA6-6305-7106-000000007602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000329587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:00.746{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B55AED24E946B16F53B632B5D28848,SHA256=4613D8CF681051F623126208C53A61D2607DC0DA7C2B079224C3F6BEB4325418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:00.126{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA776C2A5978976E7799754A6A5A682A,SHA256=1801BC2CF0ECFC3E4BFAEBFD6E645A40008160BAE0A9274BA044E921B986ED3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:01.852{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4934C9310EC26B05C202A40F6B32B68,SHA256=3576C0C917F0C7BF45133897DD1E6DB5939B6148601625FF44EBE4AE88169B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:01.258{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965D875D4DC6AD6C1476250F5017BC2E,SHA256=E1656499CEE015372ED20FFC9D4742417296DC165DA3D33768A5DCE0678157D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:02.953{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60ED21A23E74D4FADC7C7CC78220E350,SHA256=FFDCBFA2FF74932607975E08B61016E4BED5EF9430D4442B126071623DEFB2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:02.372{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1568CA07F6B388B0608AA723ACDF52,SHA256=103CB828CED7A7A5207455B40279079DE40004DC2825189353326A3C6AF615AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:29:59.404{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56130-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000317246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:01.619{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62204-false10.0.1.12-8000- 23542300x8000000000000000317245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:03.488{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2AE3F4F319716B6522530F27F2C638,SHA256=63E8462BA61852E7755D47C5B6665D2F88DACB334A347A149C7BBA20D19B597E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:01.844{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56132-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000329591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:01.603{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56131-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000317265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.767{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.750{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.748{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.746{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.744{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.711{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.703{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.675{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.665{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.654{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.638{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.624{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.610{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.601{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.587{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000317250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.577{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F49D00A0F96D7A2EC7A1186D112C4D,SHA256=A3116E21961C43B2D3183B6C34F31D59A52E9F23C1C4461FA71794DC4E9B5D7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.573{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.503{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000329593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:04.068{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6212DCD6A0B1CEC6555AD3BC0DC458D,SHA256=8AD01D52E40337B3768B5103382DF48E254EBB48E1E971887E3C7F5FCA7C0C71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:04.491{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000317271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.641{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0BFD8333D06133263E8704F8A5F369,SHA256=5456A7D6FAF481CFDF2DC646464121650F86DA9102CD981773FB71B1580FE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:05.184{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BCECCFBE7E23373A32B4660556C4AE,SHA256=1A5110C0376F9CED14C5B845405AA3A92AC0EAD49533A5747F6C9B6ABDB06FB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.167{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.165{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.160{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.158{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.155{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 354300x8000000000000000329596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:03.802{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56133-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:06.209{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975DFDDDA5F9FC3A4AD0F3AF56682365,SHA256=BBE6E488CAA95403FFAA328B17EA418790504A887A92CAA6B8F11AB981D90621,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.911{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000317379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.907{D25361F1-FDAE-6305-1E06-000000007502}66526052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.886{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.884{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000317376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.853{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.853{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.852{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.852{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.851{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.851{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000317370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.707{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.706{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.705{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.705{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.702{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.702{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.701{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.701{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.694{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.693{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.693{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.693{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.693{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.692{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.692{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.692{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.692{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.692{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000317335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000317329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.676{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.677{D25361F1-FDAE-6305-1E06-000000007502}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000317322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.162{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000317321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.162{D25361F1-FDAD-6305-1D06-000000007502}5207016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.162{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.162{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000317318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.014{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000317278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.992{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:05.994{D25361F1-FDAD-6305-1D06-000000007502}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000317513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.910{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.909{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.909{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.908{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.906{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 354300x8000000000000000329598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:05.988{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56134-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:07.230{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD437994226640E4F5A080BD190A47B,SHA256=FEE4E94F47303543EB3D6A8D4B19169EDAA38BF7ED0C4CD7262DA3B01BC24C85,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.906{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.905{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.905{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.898{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.898{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.898{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.897{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.897{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.897{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.896{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.895{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.895{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.895{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.895{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.894{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.893{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.892{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.892{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.891{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.891{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000317473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.891{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.891{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.891{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.890{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.890{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.890{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.886{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000317466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.857{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FBBD-6305-E405-000000007502}1996C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.856{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.855{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.854{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.853{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.849{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.847{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.844{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.841{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.838{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.837{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.829{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.807{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.795{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.783{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.763{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.756{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.748{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.744{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.742{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.739{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.737{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.735{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.734{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.732{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.731{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.361{D25361F1-FDAF-6305-1F06-000000007502}17325984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.361{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.361{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000317437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.226{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.226{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.225{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.225{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.223{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.223{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.222{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.222{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.222{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000317428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.218{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.217{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 734700x8000000000000000317426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.215{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.215{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.215{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.215{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.214{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.213{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.213{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000317411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.212{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.212{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.212{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.211{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.211{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.211{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.211{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.210{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.210{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.210{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.210{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.209{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000317399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.208{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.208{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.207{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.207{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000317394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.206{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.205{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.201{D25361F1-FDAF-6305-1F06-000000007502}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000317387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.205{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000317386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.204{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000317385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.200{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9820D793EC999CA4FEE9E9D5AD3E3A2C,SHA256=9DD4FB259B35DA03ECAC95CCA309E59B4028F8FD465E887FB3246AFA86FFA7BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.198{D25361F1-D530-6305-4001-000000007502}40323444C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000317383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.111{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4947F02BE6B3F0A05FC81CAB13E320,SHA256=B24EDF90138946248924B4A49F3CF7AE03E1C2889D6AEC38264D43F52C25BD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.110{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=39AA6465E5CC38D9422EFDCDE89E3A12,SHA256=8DB2914EE42160115D6382030B13F88931F36ABD33FA56446F8FAC40B2689282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:07.109{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1746AE01B27C74C30042C3F6A435081,SHA256=EF301A32B41A2CE98E854725CBF4B38AF069E74C0DB1181256CC80211A433516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.860{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D63EFCFFFF3EE451101A7FFBE38756A,SHA256=B8B49FB39F8C97AEADF8EFDA90ED1BE45141BDDBF8B25C9D28C98B2C1DB2E5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:08.315{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11259EB26F0E36C0A206614F95A398A,SHA256=694E194AE926F84E8F0F903078D3872379DBE10DF6203FFC2532DFF2DE5CE452,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.729{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000317575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.729{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.713{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000317573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.660{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844D4853F438C20B231C240D3F82843C,SHA256=453EAC9662786FD5A823572063760216D15E19DA30FB10C6AB69573273EF024C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.576{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000317563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000317540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000317539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000317537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000317536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000317535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000317532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000317527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.560{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.561{D25361F1-FDB0-6305-2106-000000007502}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.311{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD5F7C1215E435ED4D0BE1A0D7E5559,SHA256=F02B1802337750F31A5765341A23112642973D88EC7F24158ACAECF4EBC15F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.293{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F8FB4FA602FD5302259975951F7AC9,SHA256=0D2F3DB9D52EE1454E73DF4D52556C1D775FC8BC478BC606FEAF524397003AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.092{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F85D9411588CCAB707D4770C0AEEB9CF,SHA256=C31EC4654360EE4D7AFD5F78DCEAB9C1393E0C578BAC56543F65CCA1788EBCEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.045{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000317516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.045{D25361F1-FDAF-6305-2006-000000007502}60206984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.045{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:08.045{D25361F1-FDAF-6305-2006-000000007502}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000317630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.940{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F814C8A5AD3AAA4701AB3C4C693B24,SHA256=AA55CBCEEE6B951DD56CB499D32E046242F85D8A5A5BDB229752F1D317FF5F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:08.262{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56136-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000329601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:07.810{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56135-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000329600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:09.414{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1573D93CE411A004754C9D4E6CBD4F9,SHA256=00C0EA22DA0DDFE36000C5F0D605169956EE8B23A8AF585709133DF5E52D8537,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.394{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000317628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.394{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.394{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000317626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.247{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000317591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000317585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.231{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.232{D25361F1-FDB1-6305-2206-000000007502}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000317578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:06.640{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62207-false10.0.1.12-8000- 23542300x8000000000000000329603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:10.516{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969967A1774E6D5DE7A5FEE4CBB2BDD2,SHA256=4474C4F045097C1B037B5A96BB19AF8E2F91BCEEC1B02A66E922C7EEC2DF6E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:11.599{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232C66B7ADE132A283575E43C6BB390F,SHA256=A021A5D839942BBE843215F070E75DF22484F0FF3A79914FFB50CC3ED3C91451,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.264{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000317689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.264{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.264{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000317687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.376{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62210-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000317686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:09.376{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62210-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 10341000x8000000000000000317685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.162{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.162{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.162{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.161{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.160{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000317680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.160{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000317679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.095{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.095{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.095{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000317665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.079{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000317647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000317643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000317638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.064{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.065{D25361F1-FDB3-6305-2306-000000007502}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:11.048{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD67738CAD254E64B60DBD656D9CE26,SHA256=93970852A1E4D5F59D6D095DC11BC3CD0319BB11BC523B8D6F7920E2ADB71495,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:10.432{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56137-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:12.617{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04901A30A0B3F1E56B5278234E7D8D2,SHA256=D081750D628973DD4B5128F0A62CB0F5275FDBFACF27E6F7CF50608C088F3DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:12.158{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642AEFDE18EE99F5A12B0D2A26FB05F4,SHA256=CA01EF7EB8EB6995EE5CD9E904A8CC3CF5CE6AA13602C803C3D62FD8B553B510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:12.132{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B457B2278514FA78EB25018B09A2E5C,SHA256=1D098685E833373D3D633D79DF34FEE26B6111E1D1039A511BA47142D9C8D5D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:13.717{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500FE772B8416F29080CFCB97936A568,SHA256=DC13AF95070D53D050828FC8FABF20FBB1CD28A2ABB2974AB16EE484CFFEA21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:13.165{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBF40CE304DDD73934DFA242A2FD902,SHA256=D74CE6799640701CC41EB5F8C72D22AF65004A955FE74CED22E77EE1CA0E7F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:14.836{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC032666E408FA0F5CEEC581E822A62,SHA256=4BB414306CD05FBEC8D03AAA899E7AD91DAD41D87A283B33188D15641E880798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:14.196{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A791481C35F414F43555D5A53521E2,SHA256=B41290C328C66A44EFDCAD70F19FA1A961BD7B4A916D2534B712549724FE423E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:15.301{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674A703A8131CB69783B8CB8EBB68355,SHA256=41B3F2CB5A5F6622741951C83D240CD3FA16050C9835353F864776C24DEFDD4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:15.996{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:15.992{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000329611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:15.950{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C1C4222D10D3191EB71B2DE4271B0A,SHA256=71ACC4E2B5C1900D655EDBF828F5E7F1663DEB6B25CF6D4E9A51385C34EB4377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:13.796{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56139-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000329609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:12.617{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56138-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000317695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:12.626{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62212-false10.0.1.12-8000- 23542300x8000000000000000317697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:16.409{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4127D0C79404A5A398A8B76C0830C70C,SHA256=E3E2BF24349E4F2B2229014327ACD121292509F7BE557369A66CE7654C388CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:14.816{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56140-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.450{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EAA0841F72A4EF0E9295A0243502BA,SHA256=6E401B3CE128A82041422316FE8349CF2E0C04BCE44707C1B6F6A9360AF44E30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.275{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.272{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.268{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.265{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.255{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.252{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.249{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.246{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.243{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.241{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.234{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.218{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.215{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.214{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.198{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.185{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.165{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.159{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.151{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.143{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.141{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.139{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.136{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.133{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.132{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.130{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.129{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.128{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.126{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.123{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.121{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.114{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.109{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.103{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.100{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.081{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.076{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.069{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.062{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.055{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.032{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.027{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.019{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.011{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 10341000x8000000000000000329614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:16.003{F6DB49F2-D1B7-6305-CA00-000000007602}48601500C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200850) 23542300x8000000000000000317698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:17.509{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDAD1192F0768051E1E810FB16CC0F4,SHA256=23BC5C8714AA5F76E419BFB36A9B7DAA5F9A39C878BE339DFA53479BF2672E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:17.050{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6952799EAE3D1339D94D0BBD8CB354F9,SHA256=5AA38C504F166D9E6D261C834985E5E311D290C024F3C2E433C02BB8D1CDC59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:18.731{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84922D2ECBCB713C157CB2A0F2C6CDF8,SHA256=A3BE1F6177D9EFCFF3BCB27A7483AD1D9A2635AF09605467C19466A02A638D90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:17.115{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56141-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:18.080{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000270F632C65296F2DE8D0630539D48,SHA256=A2535B35DC377C55A0E7E51BB94CA42B1531ADE620F7CCBF0BBAB34F4736A9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:19.762{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9291B10FE74FC15C8D7DFAF98C6650,SHA256=3DC6F1CEFDBCFB20F8ED6F844006F0A4718808308D8E84DF1FC9A3236D5F6C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:19.171{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3416C0E21C3365A6AF93206A060F212B,SHA256=210BB499BB55ADC6396DC0387C92400B6223D151C49BFA037426927A05B90A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:20.877{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0488D7E358A506E6B0F86F48A6F97037,SHA256=0CC8C0A55C45CFDA7AB41B3C88DD21B8135423474582E76ADF9CEDF128DEC74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:20.282{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792519F45C51E0B5A823C6B018C7F88D,SHA256=C86488EF7B87B641BDBE098BC10E573E3716074027F162B978B9A7DC6ED2B078,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:17.673{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62215-false10.0.1.12-8000- 23542300x8000000000000000317704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:21.977{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BAE48887BB0F451BC32191031C67E1,SHA256=982A800657256F5F48D9ED187EDBB9650E70759F8A0F48CF9509D44ED7B7DA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:19.794{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56143-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000329670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:19.315{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56142-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:21.414{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB97E1AC90C2144E628DF0BAE8C1971F,SHA256=AD6AD96562E7F48F7168E83508633E8631DC69DFBA546C7270485D9322EDA5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:21.076{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:22.535{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469EAD140E7BF198AE03E1F61FD54FB9,SHA256=30B128A7B02F45C0E661B23DDC79DCA9F276AFCAAEA4BEA24D78BA7EF67CDA4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:20.539{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62216-false10.0.1.12-8089- 354300x8000000000000000329674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:21.515{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56144-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:23.650{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F8BD529D571DC4E669326E257B6BD1,SHA256=954BBFEDFA06A7BDDA5946271606B527E3EFEF84E565FD4055ABB5822F696D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:23.197{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=177CCE436D2CE1365E5B65F986024C8D,SHA256=5F9A0979570084DC0C58E48F4ADCF92CC8D88AFB071693CCE42B808E129AEF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:23.097{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0623BC9F277BD2BBD58676519B332F0,SHA256=0C783417FE4379A562DDB7A1D977022C78D6DC696022A48A401ADC3508A03B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:24.749{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB57ACB0E35682EC6D4803264F02486,SHA256=229D5C97EEB624BC07A769E75CB84773F44E161F6F77AC4F08A4794F82C459D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.663{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.657{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.654{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.652{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.649{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.625{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.620{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.608{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.602{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.595{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.587{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.579{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.569{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.561{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.552{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.544{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.476{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.473{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:24.234{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F630BCFEDC74BA9D1B8A54FBA48734,SHA256=904AEC4E731769EC9608B0E3533BE9175903F385B9DEE7C056EEF18414F964A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:25.849{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C6960825031EBD6984EE1C0ECDF651,SHA256=AB8D5F8077B311F9BB98DC59357809EA90C20C03F97AFE3FEAFF9F95AE683B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:23.716{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56145-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000317733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:23.628{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62217-false10.0.1.12-8000- 23542300x8000000000000000317732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.286{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC7A996A09B5E38D5D221038589EE5,SHA256=0D6280E0B753FB214988E6DD86DB9307769920F4BF8C85125B62A764204C9DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:25.434{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=76BAF222AFE4D02DC02A65AA712CCEB9,SHA256=0DFD8498C68DD2D512AD68460F269E95062E6B97A2E5E4D6F256BBC87EE72AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.113{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.111{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.107{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.103{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:25.102{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000329679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:26.864{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D662AA02FE7D3ED7039B6BA3C522741,SHA256=2E497D0232AB6C62BA3F0D3D4A2A7050ECC8D71D7A1EE2C564A92CD329F3C681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.769{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.769{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.769{D25361F1-D019-6305-0B00-000000007502}6242380C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.762{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000317740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.762{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000317739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000317738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.758{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000317737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.758{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000317736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.758{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000317735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.757{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000317734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:26.367{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3145CD79A30C9FC1955C2C02ACC571D,SHA256=9F53BCF4DA091BCB220667D8E2339BE5DF2EF247DB41541B878FCD647F02E925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:27.980{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B77B196360495241584A5E312FB88C,SHA256=10B358D69EA2112CE676343010CF734C791132ACA90B09FE268E72B98D2F97AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.810{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.808{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.808{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.804{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.802{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.795{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.790{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.787{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.784{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.781{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.775{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.757{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.748{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.739{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.720{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.713{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.700{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.696{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.694{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.692{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.689{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.687{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.686{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.684{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.683{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.551{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55A2939BEF910B050B133728DA73C97,SHA256=E811F4ADE185F5A499796A578C599DF5A3BD8DE4FA35C380D8AEBF6B9A8287BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:26.014{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56147-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000329680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:24.795{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56146-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000317749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.171{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.168{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.152{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.141{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:27.136{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:28.652{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405F1BBBACD7C4BBE5AED56498146AAF,SHA256=B06D425BD487A66E1B88D6EBA7FB6FC509CBCEB1A0A3B7508DD5E15685EF5C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:29.751{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965BFFB954C539975E59D70C857DEBC6,SHA256=C98D62E7A43D7441A279AE2AAF09FD419D9BCB445E86881C4622E7DB1ECEB4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:29.114{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC1178CC70E669EB8785EC9893A07C3,SHA256=F6ADCCB013E165ED266C657559DBF91BD0A624549413073210DDE04D2E5FA729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:29.551{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=2854E7E11E7EC249B9E9FFECF09928C0,SHA256=FB05CA240C130556DF3BAFB628BDDEF9B0E9C2633C3B01651B9057D39D5C632D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:30.982{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5362AD57B2BE8183E13BDFE7781F63A4,SHA256=D8CFCA29088AB705AF8A9F0A96685D673F1E4D9E0845459638266892B5A01F11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:28.229{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56148-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:30.250{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBFA57AED115D24BA35F63A06DA25EB,SHA256=BA4266AA18E5B3076755CCCFA65F97BB3E7B199D87765248D894C8FC6E0B8FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:28.714{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62218-false10.0.1.12-8000- 354300x8000000000000000329687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:30.531{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56149-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:31.365{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8958CB98A41E121DC5AB8DB80CFF13AC,SHA256=F35A8288D575A5B910077A24E39F4867EA2E58292FCD93503C33A9A6C8C41B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:32.097{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D514A89460EB1D71EC2574198BA8B6F,SHA256=8B445FC046196A783FF40CA144439753CD4CC3827FAA69D6E142E92AD7A3B7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:32.464{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6810C5487D49CACEF9A61C74B7537378,SHA256=C9614BCE0BD256B60547A965CE85FAF4A2EE8AF71B8C7E90E24252E5D15A0DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:33.214{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EDB1A824C4B9855A441C408309B40B,SHA256=89C586D62AEB7333FB4D16BD6031CCDEF897E7BAB16C2EC6447FEA3841CE7540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:33.565{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24B7F213FCBE869ED8481493B6CA358,SHA256=3D9EE831FB8552FF5C0F7348D5F37AE5C5D7B83720C265A69D0D30AFBF5EE790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:33.413{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-189MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:30.794{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56150-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000317784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:34.564{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=6E47DDA30DD9AB68CA40E4E3825AFA25,SHA256=6E3E0C8711DD6F6DDDC7760F9FA7548807F831F12C08C211D34987A2243E926A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:34.349{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3730EB22B997FB8833F620F0125173B3,SHA256=B249A7F769E1BE380A9C0F3C1AE176A9CCECA5AB02E8C54C4C4B1BD3DBD13430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:34.696{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C13020900D2F02D30AE815CD9DF89F,SHA256=BED888C6B37A53AF76A4D0555E9E88B85420D4C60383906D8FE4B2FCBEC181CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:34.434{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-190MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:35.495{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8B976CBADCA5613EFD17E03E7E12D,SHA256=863716DC67455132DCDE25D29E6DCF808A89A9F16E2BC1BCE0EC584942CA0F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:35.999{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:35.997{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000329695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:35.795{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB07385E6BEB64BDE98D61A313223D0,SHA256=351CC71D7116098FDF9DAB94F5415E4927A449548265840D9381AA1E20BAC259,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:32.730{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56151-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.895{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E1AEECFCF4ED392E9525EF388204A5,SHA256=8AF65C5E14160D034BF8BFFF69C2CE8E3E5DE112CC6EB4D199EE601AB9AC60A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:36.614{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05C30B233DB7B2FF97F4B56600BCDF3,SHA256=4160D97B56B34F996510FE3CD03700B910597229FC034D1730A2CFB4974944CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:34.642{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62219-false10.0.1.12-8000- 23542300x8000000000000000329746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.451{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B56B01B1B322B908AD6BEC043E336F1,SHA256=FB587ED554136DEF95A085D09A34D5D7216BB2A61E8FA4F6E4315284A5262854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000329745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.302{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.298{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.294{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.290{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.284{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.276{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.270{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.267{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.265{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.257{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.241{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.239{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.227{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.215{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.194{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.188{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.179{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.166{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.162{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.155{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.154{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.152{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.149{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.146{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.141{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.136{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.134{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.130{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.122{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.120{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.107{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.095{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.090{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.080{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.072{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.058{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.031{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.024{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.014{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.004{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000329698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.001{F6DB49F2-D1B7-6305-CA00-000000007602}48604280C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000317788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:37.633{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803B8AA84B5DC94482C2790130DDE077,SHA256=349626BD948D24645A17B1597D1E86F167335816585B03ED05314D37D3B0D4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:34.930{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56152-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000317790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:38.664{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3A6EC96E890340B0A22E372C4031E1,SHA256=5110CE1D385AB5661577E8B16FBF8CEB9D0867048008B6FD3D10D5870330EA4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:37.129{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56154-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000329760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.356{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.348{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000329756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.348{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000329755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.347{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000329754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000329753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000329752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.344{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000329751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.342{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000329750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:36.010{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56153-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000329749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:38.013{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE49DE043A791B2C9A5854972418AD6C,SHA256=B14AD86D1D2EBA35BD50A4060B723D1FAE1FC94B8E93148544A7FBB04315B819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:38.333{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DC94F4160E22EC9A8301ED123D87F0CE,SHA256=2E9BF03295063DD3FCF209A7A01F80DA483F80AA08E2AFF6A0798EF29B3D2D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:39.764{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAD7A421F9967FA5C4CBB88390C9C29,SHA256=E2FEDFCF95960F7B095A8BDE4AB705A80C301C53A2EEE631CBAAB2ED67EAD2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:39.121{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E280C03221D4BBA84DC471073EBB652,SHA256=4D9B4E41A16CFCC3FCA3CFD823D9DDB7F33FCEF38EDAB0EA0D27E3E3A5C021A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:40.864{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0AD1A1B073DF92079527D4A7D0C483,SHA256=1F172F32EB1CA0D86130595EBD9AD539DE2B57BB299CA38C699AC34080A9DF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:40.151{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EFD8D91982B6D1AC80AF7A6EB82E69,SHA256=D22480149AEC5FA1513C4BEC104424F5632681F490AA8338A63D68FF27FFFF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:41.979{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139DCED9FBB7E9F8BEAB3954DFAD3DC4,SHA256=BAD72E05913C80FE4565F8385A713F6964E6C20C1F8E441D0BF0E1A57D3A8197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:41.267{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3A4B4CE61BF7C32EE643B144413F77,SHA256=6CC18CC94077CC9D2FE0D5FC0ECB75617F33F1D5AB086D38359DBDF5E025EAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:41.612{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8C8DE520AD54703A3C721B27915F1AFC,SHA256=BC0113A555046B89752FE7FA1030565E0EB4B0EC906562884E02B7E6A63DB60D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:39.313{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56155-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:42.297{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B997B6372257D2D2BCE646D829D2ECDC,SHA256=10FD43DCB062B15AD1048C2AB381ECBFC0BBD390035A806BB249CB55D581AEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:40.627{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62220-false10.0.1.12-8000- 13241300x8000000000000000329766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-SetValue2022-08-24 10:30:42.135{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8b7a4-0x8fbb189c) 23542300x8000000000000000329770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:43.399{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB58AD05B319380DC15B3D2D90143E24,SHA256=21C5B3110BAE43B2934C8AB7ADA5D56F938E8CA19DFCBC1FE12DA7474C37CF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:43.094{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99685C50744A4B69A0FD3F7ED35AFDB9,SHA256=B5D3DAFF511FF601D9C0A44F54A7B7E31AE6540E5A59D342480D4C664DE7E208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:41.516{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56156-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000329768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:43.051{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=11D640A87387CF7666D2AF98662038F6,SHA256=4820133DD9AC901644FDEE044CD652C0F11EBDE679F25588B0357D4B09AA11D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:44.797{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:44.497{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA7123523CFED930785EC3E419EF8A8,SHA256=36C66B3829B99026EE0BDBDD4C0F625AD4F7B8D4A0CBA826C0920C030B9F9FB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.633{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.624{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.622{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.620{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.618{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.595{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.589{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.577{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.572{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.566{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.557{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.548{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.533{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.527{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.512{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.505{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.464{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.461{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:44.202{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8185BA0CF1CC9125EB6C2769006035A6,SHA256=2CCC2CB4AE560EB50B607BF84B77DC2BB2DC622BAE864CC65557C6D63E3158DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:41.873{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000329776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:45.534{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B92B8C7A46C5F977BB89FE7980E7C7,SHA256=71872FF570D55851850A5EB216B10F183FB430E82FC51AB9AD2589C45915F6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.240{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=8F7D35F3836A1299FF4F669E46276CBF,SHA256=465A4068913A72EC08F53749971ADAF2A247BB30F4B5BB4F7FBA6032414BB16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.225{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72D949C1C4FC953D3E0DBF94F0DA6CB,SHA256=8A03142B4646E640A9DA62BB6CA348988F8F680760084B4E95AFA39FAA621737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:43.714{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56158-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000329774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:42.010{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56157-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000317821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.114{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.112{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.108{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.104{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.102{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:45.088{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-189MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:46.448{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46618737E79D1DE5FD11A28027DEB3AB,SHA256=556C476A1383257A3DBD2B282F3538FE91BF80B38450C4E2CDD04B1F2A8168BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:46.650{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78D9AC5D72CAFABFE08162B570A94D0,SHA256=3D3F0E1431333E5D4779B1948CCBFA836D0F5FB783CAF4F624DBA3232FCD0710,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:44.540{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56159-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000317824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:46.080{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-190MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.847{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.846{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.846{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.844{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.841{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.837{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.833{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.829{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.821{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.819{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.813{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.786{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.778{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.767{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.740{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.731{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.720{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.715{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.713{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.710{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.707{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.701{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.700{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.697{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.696{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.548{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8DC3E6E513BA281514A0092D939937,SHA256=2E6838D93455E5C71DFFE63D411829B04B913DFB56DB377F8F83B457FCED4305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:47.681{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A03407B071E1F18BD834BB0206FB30,SHA256=180E0B11CFC640BD2124712A1916DE46A318564662DE38A0D9C88A5C7A883F1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.189{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.188{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.173{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.171{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 10341000x8000000000000000317826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:47.164{D25361F1-D530-6305-4001-000000007502}40325244C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B23D0) 23542300x8000000000000000317857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:48.648{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FDAB2C54E5D1339984A799DFDF2719,SHA256=CDD85EBCB73F6738C0C8E2A5416459D61EFCF20E16F56F5D7A7F2DB856139621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:48.796{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E609039869DBB5CD25EA31763C6EAE55,SHA256=2B34EE2C847ADCCBDEEEAA155674E0B8056AFC320519876E77A771154EFC2D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:45.996{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56160-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000317859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:49.793{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DB9163CA8514297BCA2A0CB90155FC,SHA256=1D85AC6BBD2524B3C4663CA75FA3CB2BDFFB4A205E3304412965FFCEF5958B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:49.895{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791BAD118CCE5A40AA6DF63B2FB009F0,SHA256=57DDCA0CC6590E05E9EB0F45E2AD24015F8D6E296E1C2FFFFA1E11D263FF9E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:46.574{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62221-false10.0.1.12-8000- 354300x8000000000000000329782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:47.892{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56161-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000317860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:50.710{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FB74634FA65DC2F5E1C48E3B39A891,SHA256=7C6D842884EB2FE3F3B2A8ED9D5F429DA5A8C15E959CCA9FCF5C80AE9FB434D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:48.291{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56162-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000317861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:51.012{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB7D47DB446DC53AC1884D4E3546A1,SHA256=8846236D17D1F3D137B922B319B1540645E71285CD997315B85C7AC2CCEE989A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:51.013{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3843688E92A69330140490CE02C1EB9,SHA256=8ACEB25C55B23DC190EA038B44914D2D11F8E23258CAAEFE4784C966A3E74CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:52.130{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9AF2D94CF5D6744B5F74D7CC8131D9,SHA256=0DC0C9A46520875C404DD7C323568F7629881612407B6195D7532E725696A1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:50.575{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56163-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:52.147{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B491D7A559DC5AAFD024F38D6FACB5,SHA256=A715C5E55A0B76F1B845C52DD4012DE2D08F6BB408F695D681D912083922BC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:53.260{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A221C57F49CDA7502DC356598FE6DF50,SHA256=5A5D8FC19FC14AF4A17F7CA181EBB2F85FE70D0DFD5333624973F4385560F436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.946{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79E0E6748199310B3D4C13F9F594FC8,SHA256=BBB8F6C0D5ACCC177F01DC6A6FDE0F52996FDC05DDFE4459ED4F5CB0ACF3D819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.883{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5CD07C54F37AAD78411F0DDFD2366456,SHA256=80EB1278BEC424537F309DFBF12195EA8E4EAC02BB3EBB8954B42D4157EDD038,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.394{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.394{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.379{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000329841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.262{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DBF3C37ACBCFD01FB21A5EE55AD458,SHA256=3AFD9FEAB0CD48E9A67D4866063A0A6DF6BBB6C0776DCF36E34FF6D16C2A753C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.215{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000329805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000329804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000329797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.193{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.194{F6DB49F2-FDDD-6305-7306-000000007602}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:54.375{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA059DF4FF5AA8C6C06BB7FED045CA7,SHA256=B9C7EF01B9B0D853FD265367EA065EB42EC50DFCDC696975234705BF9435194F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000329849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:52.772{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56164-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000329848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:54.293{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876263FAE00BF1E95BC7DD075636349B,SHA256=45AA0864972762D1D4C4FB71816CC26DB8BC9EE14CD9B149EF1CC21EA11EECC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:54.278{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C6729F48DACFDF5AAB0D1896E4E1E3,SHA256=E258AAAECEACFF61EACC4325730FCB44482F89DCABAEAA008196B884DABCDD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:55.444{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C966739480DEA692A9BEC33E6CF737,SHA256=CFE52EE67F5D76F21B1B335EAF763C254AF269B5C7B5C6B2AD20F500072EB2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:52.570{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62222-false10.0.1.12-8000- 10341000x8000000000000000329914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.998{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.995{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000329912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.911{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=809B688809A31AECD9657B387070C1AA,SHA256=BA37035C708C5950CBFB3615C134699D4D627CC36D3D6E6C4426DA2B85DA78D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000329911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.851{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D92E64BC672B01122ACBF950AF54E5D,SHA256=6ABFD99A40D9FB669951ED03869C1C8754FF76BF3AB28E230CBDDBFA9D84C81C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000329910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.700{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000329909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.700{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000329908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.700{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000329907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.522{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.521{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000329898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000329876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000329875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000329874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000329873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000329872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000329870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000329867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000329864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000329860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000329856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.500{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.501{F6DB49F2-FDDF-6305-7406-000000007602}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000329850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.354{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB979F26F70584F53789869A59175C14,SHA256=3A1062BA56BCFE3F6A7C4FDE25F16E9F7C323F3C22ABD06C6736E3C2A11622CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:56.413{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3E8B30AC6BC9C134FC701A4E3A278B,SHA256=92CFD29D8324D07FC90C353A5308ADB778B4443B7A3C30B52932B6B374DE9B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.586{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451D139E6BEEC4187FD592E2383EA3BC,SHA256=1455283AE9F2D7A1F4C2EF3456C7FE63B2154A3EFF5EA200E1AAC74FFED691DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:55.048{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56166-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000330020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:53.836{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56165-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000330019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.405{F6DB49F2-FDE0-6305-7506-000000007602}51682028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.405{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.405{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000330016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.388{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E447DED88E222FAAC94052A992B147,SHA256=FA5DFE5DAFB7846FB358C2D36EE7CCE37F052176D70B99F628B2D56B06B5542B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.322{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.320{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.317{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.314{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.312{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.309{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.305{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.299{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.296{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.292{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.285{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.269{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.267{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.266{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000330000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.255{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.244{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.221{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.211{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000329996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.210{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000329995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.210{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000329994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.209{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000329993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.209{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000329992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.207{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000329991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.206{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000329990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.205{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000329989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.205{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000329988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.204{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000329987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.197{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000329986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.197{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000329985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.197{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000329984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.197{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000329983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000329982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000329981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000329980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000329979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000329978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.196{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000329977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.195{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000329976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.194{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000329975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.194{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000329974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.194{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000329973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.194{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000329972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.193{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000329971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.193{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000329970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.193{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000329969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.191{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000329968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.190{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000329967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.190{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000329966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.190{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000329965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.189{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000329964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.189{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000329963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.188{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000329962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.188{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000329961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.187{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.187{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000329959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.186{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000329958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.185{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000329957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.185{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000329956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000329955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000329954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.184{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.183{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.182{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000329943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.182{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000329942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.178{F6DB49F2-FDE0-6305-7506-000000007602}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000329941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.180{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.170{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.167{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.165{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.163{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.161{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.160{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.158{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.156{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.153{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.150{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.145{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.143{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.138{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.131{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.129{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.115{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.105{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.098{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.089{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.078{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.069{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.032{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.028{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.020{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.013{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000329915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:56.005{F6DB49F2-D1B7-6305-CA00-000000007602}48604632C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000330080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.828{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.828{F6DB49F2-FDE1-6305-7606-000000007602}37521888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.824{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.823{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.685{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000330042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000330037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000330030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.669{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.670{F6DB49F2-FDE1-6305-7606-000000007602}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.454{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790B0BDDE47D54C3212299B366353F5C,SHA256=85D3D031AED253FFE0DBDECC8232F62BBB357C8516B2C45C000359D0E8770212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:57.512{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECC9DB3C8121D6F43519798418C8F60,SHA256=8AAD108D8714C6E6269D8387010250337D7B43B858E85F80275699F1BF3B9F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:58.612{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0302FEE573C25DFE556F849779C72B8A,SHA256=FEB9A1AA6857D5FF32E3231692EBFFB888524B06B36E810544CC0807F6780564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.825{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E76BEE382E3694479092396FEB18D4,SHA256=4AED09BBC2D6092308BDFC039D14858534285CE7CF11662493552D00E9A59BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.807{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD79ACBC44005CCCB2E3D52E5AC79B8,SHA256=DF86F98F80910462916975AB552CF438EE2AFFA4A1798A4F1B09AD71AB43B7D7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.546{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000330135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.529{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.529{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000330118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.364{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000330101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000330097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000330090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.348{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:58.349{F6DB49F2-FDE2-6305-7706-000000007602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:59.747{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA09C3F93B84297207D614F21AFD2D40,SHA256=CFB5679EBD72A0A9698796FC67F0D98F6A7991921D5413C5C270439190E3B151,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.876{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.861{F6DB49F2-FDE3-6305-7906-000000007602}51445108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.861{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.861{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.707{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000330207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01C-6305-0500-000000007602}408648C:\Windows\system32\csrss.exe{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.691{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.692{F6DB49F2-FDE3-6305-7906-000000007602}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000330197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:57.233{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56167-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.594{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821E18234511D4DD1F682236106C862F,SHA256=8D98E702B915B3517C0C5213C824FEBF102BD35BB792CB2BAD89E1A6DC03F942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.407{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A746F1DB4B72449456AC2DBFCDAF0092,SHA256=1323151F548E049DB779785F8675563B6221831A2E1E41C58EFDD8AEBF2B7234,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.192{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.192{F6DB49F2-FDE3-6305-7806-000000007602}55526116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.192{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.192{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.045{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000330148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.029{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.028{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.028{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.028{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.024{F6DB49F2-FDE3-6305-7806-000000007602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:00.863{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFB0C5642BCE0D96726219B996E22F2,SHA256=831BE078810CF245791EAB152EBEF7C40E71B97F4CE8521187F3D2A9C2EFEF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:00.707{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6EB545686999942667ECBA77CDD71F,SHA256=C72A947D7771ED4672A556E83CDD9EE6A4A8FBDA9AA60DC6D5807A13C18B13A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:00.326{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39BA58B12EFA1ED84A8FC7F88074777,SHA256=F26699F695D0F620E49F0CE9BC22912FF80FA7C0A3ADFDD9CA0F329D600EA5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:00.191{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291D66834DAEB8DCF540B99AD4A602FD,SHA256=F2E52642FEFB6568EC722F86B5D72904800903E6ECCEAF40343C80ED5587B841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:00.294{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=037698179779ADDDAE366E0FCCC5B853,SHA256=D1C71CAC6BEAEED1EA9115B7D5D6FA1A00436E6860AEE244F969D9F9541655F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:30:57.690{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62223-false10.0.1.12-8000- 23542300x8000000000000000317874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:01.994{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A16B3E38ECD43B252206C14915270B9,SHA256=E5C685B8B8FE16B6A60D954B6D56A401F7DB6C5F688899B90D8A49D4522B244B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:01.808{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C2946ADB2D3B95370297E8900871FF,SHA256=D49A9F546A958CEE95F5F85D49CF8588039E922AA9A63841FBC18468040E821A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:02.927{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144390BB286D7E1116F51C71B45BCA28,SHA256=D05DC38B2A3AEBE338F9225229709020398463766FE26F8F11E276F4B29A7692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.865{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56169-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000330258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:30:59.502{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56168-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000317875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:03.113{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F24FCBFAD0B4D71627F08B98204469D,SHA256=D35E19F118F05838CCB1D7A851DA874917A55446DD5A436347CF25A831CB65C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:01.703{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56170-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000317894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.700{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.694{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.691{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.690{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.688{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.662{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.657{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.644{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.638{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.631{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.622{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.612{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.588{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.577{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.566{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.554{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.486{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.483{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000317876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:04.247{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D06D8D6B5A1341A3D2A5C0A667F366,SHA256=F7ED3EB79F8A1C99D9C767897930F42FB57E2703DED62BE9C54B6FD35C81C4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:04.007{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89306BAC0E9EFC2D113689FA5B4B1363,SHA256=C55CA3C5E0009342296595253F7E3AAB5937B6EC4C261224662540D08A25DD74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000317901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:03.556{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62224-false10.0.1.12-8000- 23542300x8000000000000000317900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.393{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248DCB99FB1AE8083ED225A889379285,SHA256=8141E807D05FE80E9789C402F638DD8721BB0B7C41EC77E16ACA3CBF9556FB8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:03.903{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56171-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:05.093{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F715943CE5EAAFFBE54778F04015CFD,SHA256=0BA2FA95C755E4065CFF55F222BE55A7FA263EF0C783663DA6CAFE55F5E4FF7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000317899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.085{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.082{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.079{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.075{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000317895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:05.074{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000330266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:04.921{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56172-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:06.192{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA6748E9B1F250367A62FDA536E343E,SHA256=A2E450BD20D052467812F4534C7B750CA8DECB50DD73BE7EDB3F7D4DB12F4C5D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.715{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000318005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.715{D25361F1-FDEA-6305-2506-000000007502}69603708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.715{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.715{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000318002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.577{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.561{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000317962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.550{D25361F1-FDEA-6305-2506-000000007502}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000317955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.546{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B82338DFE45F8A0BA8E58A7BC843C4,SHA256=669A8E658BCFD3D6E6FC8E4662AC35F9F7C0223FA8FEEB1C86A7B2D7E2B01952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000317954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.254{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=45D3689C98EC9CB931CF96AA26130D0F,SHA256=0299E12247D4CCDC2C339A84BB179D08C4DB294AB8036DB65EDCA7C8E8478EFF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000317953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.183{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000317952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.183{D25361F1-FDEA-6305-2406-000000007502}54127064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.183{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000317950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.183{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000317949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000317948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000317947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000317946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000317945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000317944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000317943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000317942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.030{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000317941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000317940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000317939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000317938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000317937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000317936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000317935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000317934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000317933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000317931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000317930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000317929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000317928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000317927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000317926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000317925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000317924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000317923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000317922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000317921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000317920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000317919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000317918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000317917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000317916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000317915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000317914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000317913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000317912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000317911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000317910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000317909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000317908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.015{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000317902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.010{D25361F1-FDEA-6305-2406-000000007502}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000318216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.838{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.838{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.837{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.836{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.835{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.835{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.834{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.834{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 10341000x8000000000000000318208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.831{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.829{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.829{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.828{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.826{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.825{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.824{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.824{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.824{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000318199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.824{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 354300x8000000000000000330268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:06.088{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56173-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000330267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:07.292{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D402EB49B756812D8A51F50A1A3A12C6,SHA256=882F5291B1F1BF766D154907F57F255517FDA11711F1DA3F97F557D916A2A7D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.824{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.823{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.823{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.823{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000318194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.821{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.819{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.819{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000318189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.818{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000318175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.817{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.816{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000318172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.816{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.815{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.815{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.814{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.814{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000318167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.813{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.812{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.808{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000318159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.803{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.777{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.769{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.756{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.730{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.721{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.713{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.708{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.707{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.704{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.702{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.699{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.698{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.696{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.695{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 23542300x8000000000000000318144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.594{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27143656E15EE9435179DA807B9AE186,SHA256=2B911C8538162E6F4600021DBE4EB278611C9E5D06992DE527C8FBD1FD400C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.563{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17DEFB6AF736EB3CAB89520E3058F577,SHA256=DEAD8FA7BFBA6A38942DE6131E9D2D73C2669934DCC10C81ABBB74D85ABDD94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.563{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA5CC66D91232B0BB57000609ABFA26,SHA256=DFA0A2EA81C16C97790165980DA39B7A74964E097478023AD4D95E26F3E0BE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.403{D25361F1-FDEB-6305-2606-000000007502}59402796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.402{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.402{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000318138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.374{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.374{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.374{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.374{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.374{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.373{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.332{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.332{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.332{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.331{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.330{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.330{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000318126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.285{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F203B63F8AD57F409035FF99C1E41A,SHA256=9196071174D5BFB17083A738E8B9ED6875EE2C060EC9A91B784A6DEEAACEC032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.263{D25361F1-FDEB-6305-2706-000000007502}6504ATTACKRANGE\AdministratorC:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\0[1].txtMD5=6A4F2CC239AC64106B5B61CD9C59A349,SHA256=EAC1976D9A1F588524AA59B55EB56FB513F4C0C29B5CEEAA5AF30E5712AFB834,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000318124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.246{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\0[1].txt2022-08-24 10:31:07.246 13241300x8000000000000000318123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.228{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000318122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.228{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000318121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.228{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000318120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.228{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x8000000000000000318119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.226{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=EB23BDE140B2A7A40A10923024B4B945,SHA256=F839955D9722980FEC4540AC2FFE3C8225434A40FDF12C7F6A67E9FF3B7AA7E8,IMPHASH=E530C982EE775310D0834EA7C551BBFDtrueMicrosoft WindowsValid 734700x8000000000000000318118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.219{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 10341000x8000000000000000318117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.219{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000318116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.219{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x8000000000000000318115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.218{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x8000000000000000318114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.214{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000318113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.214{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 13241300x8000000000000000318112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.214{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x8000000000000000318111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.214{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 734700x8000000000000000318110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.214{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 13241300x8000000000000000318109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:07.213{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x8000000000000000318108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.212{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81,IMPHASH=35501E61EE90F9745FCEA0F1F844350FtrueMicrosoft WindowsValid 734700x8000000000000000318107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.212{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x8000000000000000318106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.208{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.207{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000318104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.205{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.205{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.204{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000318101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.204{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=52FD1288FED0BD435BBA02023D8A5394,SHA256=C277A8E6B6E25656085647270AF0D6673DD3C6B29C99260825CD5909FCB82549,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000318100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.201{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000318099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.200{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.199{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.198{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x8000000000000000318096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.197{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000318095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.197{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000318094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.197{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.197{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB9D348470B507BC5761495A04335B06,SHA256=F538BC5C83DC2A3ECAF99BA1786066A6D511DA2BC3971B937882171315AA46C0,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 734700x8000000000000000318092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.197{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.196{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000318090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.195{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000318089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.189{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.188{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000318087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.188{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000318086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.187{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.186{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.185{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.184{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000318082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.183{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000318081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.182{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000318080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.181{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.181{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.181{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.177{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000318076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.177{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.176{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.175{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000318073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.175{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.175{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000318071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.174{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 10341000x8000000000000000318070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.172{D25361F1-F902-6305-8E05-000000007502}5886416C:\Windows\system32\conhost.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.168{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.167{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.166{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000318066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.166{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.166{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000318064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.165{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.165{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.165{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Temp\upload_files\c2_agent.exe-----MD5=54DC70B4DDC0747D4ACB035A8DCA0F2A,SHA256=D3FC9AB03C621BBE4AAC12B3C10916E4157176BDDF9D9F22F5C4D927A5F67064,IMPHASH=A0E97A24ECFBE5C6C399A4ACFE90B744false-Unavailable 734700x8000000000000000318061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.161{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.160{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x8000000000000000318059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.160{D25361F1-D525-6305-2201-000000007502}8201008C:\Windows\system32\csrss.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000318058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.160{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x8000000000000000318057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.160{D25361F1-F902-6305-8D05-000000007502}8607052C:\Windows\system32\cmd.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.159{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe-----c2_agent.exe 10.0.1.16C:\Temp\upload_files\ATTACKRANGE\Administrator{D25361F1-D527-6305-3399-180000000000}0x1899332HighMD5=54DC70B4DDC0747D4ACB035A8DCA0F2A,SHA256=D3FC9AB03C621BBE4AAC12B3C10916E4157176BDDF9D9F22F5C4D927A5F67064,IMPHASH=A0E97A24ECFBE5C6C399A4ACFE90B744{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp\upload_files" 734700x8000000000000000318055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.159{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000318054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.159{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.157{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000318052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.156{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.157{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.157{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.156{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.155{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.148{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.148{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 10341000x8000000000000000318042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-D530-6305-4001-000000007502}40323372C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D2B2190) 734700x8000000000000000318041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.147{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.146{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000318031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000318019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000318014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.130{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.131{D25361F1-FDEB-6305-2606-000000007502}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000318007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:07.061{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92D7717EBDE594E3BE5C00DFB5148F8,SHA256=8D25740F04F5BE55F7AF4EAAE9BB648C85D822C53AAA65F3DE6348709CCF4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.763{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1E7D5C06BB85E017837E1AEF47083D,SHA256=5BCEDE4D931CD77C20A058CBF093515889AB732F72E3891E71E3C6EEF8232901,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.648{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.632{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.632{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000330269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:08.395{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA8DB0DBB0F2F6336FBA180D3D88D6A,SHA256=4060BFB33B09F93A1DB11AC85C835F76BB450C157BE0F9176BA814CD8AE995C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:06.722{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62225-false10.0.1.16ip-10-0-1-16.us-east-2.compute.internal8081- 10341000x8000000000000000318275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.511{D25361F1-D029-6305-2900-000000007502}26722216C:\Windows\sysmon64.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.511{D25361F1-D029-6305-2900-000000007502}26722216C:\Windows\sysmon64.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.505{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.504{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.504{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.503{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.494{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.494{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.494{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.494{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000318264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000318243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000318241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000318240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000318239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000318238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000318236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000318233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000318228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.479{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.480{D25361F1-FDEC-6305-2906-000000007502}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000318221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.213{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD65268123995B392620098CC57FE18,SHA256=8DA6D0E97757EE293EF080FDDCAB3D6E63DE51BA8A94E73AE7DB1DBF31F8F107,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.016{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000318219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.016{D25361F1-FDEB-6305-2806-000000007502}8923712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.016{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.016{D25361F1-FDEB-6305-2806-000000007502}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000318339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.878{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980684F1D494738747BE62521D4F7EDC,SHA256=2818B857A7B10464220894304AB424C20C4C9B09D5F7ACF1644A405385CFEFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.878{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC900D594633C742DCEEF5A4560F7360,SHA256=4A985125775FCF6061223F8329E87C1807B97467AA8BAECB8A7698D713F80A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:08.372{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56174-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:09.524{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E93F845D8650EF2DB4912C184133A98,SHA256=37CE13E80641485D48632276D13B28F13C3A2380888EF3EF64DAED92F46EDAA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.352{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.351{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.350{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000318334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.337{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.336{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.336{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.336{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.335{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000318329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.335{D25361F1-D530-6305-4001-000000007502}40321944C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 734700x8000000000000000318328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.163{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000318307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000318293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000318292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000318289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000318285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.147{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.148{D25361F1-FDED-6305-2A06-000000007502}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:10.545{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA78B8756C9E37B7CE9CAE09B13545B,SHA256=18BE4182884C9BC2335FB0E1F1280286C82C21BFDA17152BEEBDE089BA869F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:08.726{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62226-false10.0.1.12-8000- 23542300x8000000000000000330273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:11.674{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF27F89CC3E6A4654294C5AED5DF1E7D,SHA256=66801CA36FD1E7ECC4E1D98198BE1C64D908820F9BA088AF1EB00CE17B05B0AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.388{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62227-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000318393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:09.388{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62227-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local389ldap 734700x8000000000000000318392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.278{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.278{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.278{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000318389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.062{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.046{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000318375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000318357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000318353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000318348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.030{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.031{D25361F1-FDEF-6305-2B06-000000007502}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000318341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:11.011{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFA5E3DA4607ACFE2814DBBEDC047F2,SHA256=1504E6212A5E03CCDE5BD6B14C688ADA050D7E17EA224D3CFCC101A15765E864,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:10.653{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56175-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000330274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:12.775{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA33F5D688716823150419E0F8DB1B7,SHA256=BFCC5404478A3B260DCB1043258B85CBD45C7031A143D035683501DD0588E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:12.162{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA960C6289DF7392C08021B0FADC989,SHA256=F4521DBD79F3593CB55F8F9A060161E880F1187BA2B20769A1451A37FF9C022A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:12.093{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF32B3EBB8E52BFAE6487CAEB613FC21,SHA256=572ABE6E4AB192DDC06226ACCDB804FB2DE43E1EEA05CC10F8CA1D30126F2B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:10.825{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56176-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:13.890{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C15A536092318B88B1D8A92346B5D,SHA256=4D2D5342996292158059D30AD96C1BC66C6AEE8BAC7031E5C7E76ADBD8E70C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:13.613{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\glean\db\data.safe.binMD5=FB2250EFB149009EAFBCAD5EB22A213E,SHA256=A91F2FEDB9F3229056801B62AA543FFAD252DFE8070EE81202F730E95FA61547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:13.233{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A03FCE7F3C6328CC82E142417709B9,SHA256=F5AAA6FADB4F93E1F510A78DDBB520899C0297DCF7246200F63B7FD88CF3BAAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:12.923{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56177-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000318399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:14.265{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2715697D4F7A4ADA247FEDAB9CF8E38E,SHA256=5A1362FDEDB599AB3CBE90927254A66D10C559624D3017A451B56747BB283EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:15.394{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F964B093D94272506F3398D225E343,SHA256=3FBE143011862BF828C6559894777838C390955BA083A8297310FD05988A149B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:15.992{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:15.988{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000330279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:15.007{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEA024C2C1018C09DF7EF5BBDCAC90B,SHA256=FDFC0EB1BC9B18D2B57D5C3875C8C1B8802AD1FEE6B33ABFB9CA714A42DE717E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:14.642{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62228-false10.0.1.12-8000- 23542300x8000000000000000318401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:16.479{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7605345946BB2EA519C777F7F2AE3790,SHA256=97B771E70C6DC6FCD9CA409C1562F6F178BEB4F030C0F1EFB5BF7BB63CD07242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.462{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F91FCE18E6C866387DC20973A41043D,SHA256=1FFBB9CBAF65B020D41943C8B26A507706162DD6A2929B51FF1F1F573B79B0B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.411{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.408{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.404{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.398{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.394{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.389{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.382{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.376{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.369{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.358{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.348{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.324{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.320{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.318{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.318{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.285{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.260{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.234{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.223{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.213{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.205{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.203{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.200{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.198{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.195{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.192{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.189{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.188{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.186{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.184{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.180{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.175{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.169{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.166{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.161{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.152{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.146{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.125{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.116{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.108{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.100{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.089{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.079{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.041{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.032{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.024{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.013{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000330283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.010{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140ACDE8A93CA15D461BB3EA2D383D93,SHA256=0633D9C93D7B2AF6DBEC7E5A422CB8CA9DDA27BA383BF1D07B7BA317F92F2676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:16.002{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000318403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:17.581{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DE572CD7096D283342A6F127A7F3F6,SHA256=666525DC4B423753B57F160CE04AE4890C4EC8F1CC9E1F31F7524C3936D48D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:17.009{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0971A56001F2436104762D024A2D18,SHA256=76BD50E55D5C6871DB0C919FD2DADF9B72877A708096FDDC464C13A50AA0B46C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:15.203{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56178-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000318404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:18.680{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A0DF45E5102E689E06F4D2EA25BAF4,SHA256=2BE1FDA10979C4028566564422C2B4F5BC768283C97AA80C0315E695F42D38FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:17.473{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56180-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:18.110{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A5D2107FA39835338F63CB064AA1E8,SHA256=2A61B14F798F6930235D4C283F0F0776CCBE3E7E338683C1DB853E2F4358AC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:15.869{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000318405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:19.814{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5CB1D6178F9A2A69B74F500F48560B,SHA256=8DFD1F7DDEC757FC2D6A658EC117DE84E1FEAFBF0954AE9293132D48E99F5A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:19.111{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E869F0BEC0A935CC991D2F84485A2268,SHA256=8213CA4C63158A57233025EFFB7ADD63A8020099FBC7A148E58E3BD83B437BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:20.948{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29883DDA3FF22CDA46E9B0DF5458A96F,SHA256=098461637C9F92AD402DED8F27AE68812B1B06A82EBAE510049D244C5EC102CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:20.248{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96824E6FC274F7ED63F82C43997BE250,SHA256=4347A0864B7CE6B51A53AFB8020F435C9C8346139C687E7E2FD76B976B06575E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:19.658{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56181-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:21.379{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DD482AA2D453F961D849448B23E5ED,SHA256=A58878C6A5C17380C379E4E2A18BE515F354630E801843C259159DB0DDB8FCBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:19.712{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62229-false10.0.1.12-8000- 23542300x8000000000000000318407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:21.094{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:22.481{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88532264601B1E32223B1B33B8C8EB62,SHA256=E241AD2340C75D95E7CAC10266054DA4A38AC1A15A22C5EE678567E844ABF499,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 11241100x8000000000000000318411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:22.979{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txt2022-08-24 10:31:22.979 10341000x8000000000000000318410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:22.881{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000318409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:22.063{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE8BA377B7591933027165AD937FD6A,SHA256=1E0447116FB0E63E4B62F776A3A5D1782B89A837D636201BCCF70E5C65110C69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:21.927{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56183-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000330343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:21.822{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:23.613{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0119062FB768F22B1CA70245D8D3CA0C,SHA256=4408C3FC401A8A0338B323AA9EAF5F8645899DDE3CAA72C34A91891081303E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.312{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2346EBB123ADB83A3AB761F43527F0,SHA256=3BCA55BA03131B7D78D6773AB88FEEC10FBEE37226D1C04089CE8B971E5E7807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.194{D25361F1-FDEB-6305-2706-000000007502}6504ATTACKRANGE\AdministratorC:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txtMD5=99E00FF86C9A2781B316D065DB9A900D,SHA256=288EEE275C7A93A9CCD9FBEFD3D8A323ECF264807B2AEE77EABEBD8CC5524A60,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\ObjectNameLocalSystem 13241300x8000000000000000318506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\DisplayNamemalware-test 13241300x8000000000000000318505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\ImagePathC:\Temp\upload_files\c2_agent.exe 13241300x8000000000000000318504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\ErrorControlDWORD (0x00000001) 13241300x8000000000000000318503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\StartDWORD (0x00000002) 13241300x8000000000000000318502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.194{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\TypeDWORD (0x00000010) 13241300x8000000000000000318501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.179{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.163{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.163{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.163{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.163{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.148{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x8000000000000000318483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.132{D25361F1-D019-6305-0A00-000000007502}616NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\nettun.PNFMD5=843B14C478DE9C98A2A5BF130152C199,SHA256=48CA4A547CAA8657D328AFDC1D1BF187EAA967DA8544D882855D7AD3D971BA11,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.132{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.132{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.132{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.116{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.115{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.110{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.110{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.095{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x8000000000000000318442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.079{D25361F1-D019-6305-0A00-000000007502}616NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=201E4AFBCCF244C9042750A735E7A5DD,SHA256=4D11A3C1D901C04E991D70D0623B101D485AA605491DD85D7EC346300291A7D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.063{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.063{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.063{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.063{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.048{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.048{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.048{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.048{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.048{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.032{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.032{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.032{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x8000000000000000318429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.032{D25361F1-D019-6305-0A00-000000007502}616NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFMD5=79D965443B1A50ACD2597C330D31E55E,SHA256=98568EC80F031792F64D5CD59C7030AC2BA2EA6D8B1E3959E0D59E8AC26E487A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.032{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.016{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:23.013{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 13241300x8000000000000000318414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:22.995{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\14d\52C64B7E\LanguageListBinary Data 23542300x8000000000000000330345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:24.711{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFFD185718AF881791B30C4FBEDF8AB,SHA256=375C6AC9608476C99083BCBBB56430083638A4F14163B26AD42F06BF9217664F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.678{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.672{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.669{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.667{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.664{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.636{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.627{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.614{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.606{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.598{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.583{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.569{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.550{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.543{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.534{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.526{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.472{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 10341000x8000000000000000318515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.469{D25361F1-D530-6305-4001-000000007502}40321788C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180190) 23542300x8000000000000000318514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.431{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCA6E40D53EE1F16CD04E0320C94BA4,SHA256=8EAA4321607CC32DE3368CECDDBAE1238378ED074FE1409D091C1B8E7A1C5BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.431{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FCC544001B592547FE1696E8B22F06A5,SHA256=8C59085EBDE6A77FC0B816F7EC6CD1869419497184B088F5730D8E984B7F3D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:22.363{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62231-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000318511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:22.363{D25361F1-CFFE-6305-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62231-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local445microsoft-ds 354300x8000000000000000318510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:20.559{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62230-false10.0.1.12-8089- 23542300x8000000000000000330347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:25.814{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E28A8409E23DDDD48B40DE5DFDD15AD,SHA256=C014C2B18A7E6447603BD25CE5577C6CA6FFF3B22A96EC2DA91B6A531DF3889F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.648{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E305EAFF63EFB26013C0A3F9A8C43335,SHA256=0FC99B9212754A6770E465FAEAE757A366D7DE20912BE9637C5528F7B657C90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:25.290{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6C576C300F829C33706D9D22A4291C2,SHA256=821A7D348C7226381FF8FD93EADA7741F5F010C184BB82B405D68E02AD48A705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.083{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E9485820287C3DC5892CA7052DA88C1E,SHA256=1BA738C324EC620307FB0D95DB83FA4295A6CED42E4D143418A3907EE5A9526C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.080{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.078{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.074{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.071{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:25.069{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000330349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:26.851{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D9EB567EF649ED24356E2A1372CB31,SHA256=B21EB2A47DC1EBDB1F7CB3B5A4CE0C3BB725374054AADC4ED288990441D60681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.768{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.768{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.768{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000318547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.761{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000318546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.760{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000318545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.756{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000318544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.756{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000318543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.756{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000318542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.755{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D530-6305-4001-000000007502}4032C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000318541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:26.714{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EACC689A2D0DBE9B67CADBBE5E9A59,SHA256=009AB6B56EA75096372D3A4CEF2419B2F36ADCAB43C31ECFCD2FD932677A653D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:24.129{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56184-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000318540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:23.689{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62232-false10.0.1.16ip-10-0-1-16.us-east-2.compute.internal8081- 23542300x8000000000000000330350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:27.982{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6BD5B4D3024163D010CAE1CE37C8F3,SHA256=986626E2AD7CC7396DAA5E4268A9D1C76F5EB74A429B463BFB7D925D155FC9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.881{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964B5E24372C839D9539C9BF36FF096,SHA256=01711EBA8544CF578157A62FEFE555A77C826EF0F80D45D33CC80A0DF5B1B65D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.806{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.804{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.803{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.803{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.801{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.799{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.796{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.794{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.792{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.788{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.786{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.779{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.760{D25361F1-D01B-6305-0D00-000000007502}8841336C:\Windows\system32\svchost.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.755{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.748{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.740{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.720{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.714{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.704{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.696{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.692{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.690{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.686{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.683{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.682{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.680{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.680{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.165{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.164{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.147{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.145{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:27.133{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000318552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:24.713{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62233-false10.0.1.12-8000- 23542300x8000000000000000318606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.933{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663CC9D528248B2C641490E3D1069D34,SHA256=48AB05FD882C78CACEBF7FA0A41D0A3DAC5CB2551930EFC76CA97E639661EE3E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000318604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000318603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000318602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000318601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8b7a4) 13241300x8000000000000000318600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xab7466ed) 13241300x8000000000000000318599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8b7a4) 13241300x8000000000000000318598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xab62c2e0) 13241300x8000000000000000318597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000318596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000318595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000318594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000318593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000318592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.648{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-CFFE-6305-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000318591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.648{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000318590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.648{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000318589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.532{D25361F1-D019-6305-0B00-000000007502}6243960C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000318588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.532{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000318587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:28.532{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-854.attackrange.local 10341000x8000000000000000318586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.532{D25361F1-D019-6305-0B00-000000007502}624664C:\Windows\system32\lsass.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000318613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.980{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD495F7668A6BC40B31D52C613BAD66,SHA256=7C74305CA3EAAC919E0CA5DAD18A733CD586B4C1FF8CF040F0A807B456D79D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:26.330{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56185-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:29.001{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69FD83FC7A58AEC24CD393FB5BBE2A7,SHA256=CA31D807473BF3092F3E2ACB76161B7B210229EA79521DE8191613D9942F0838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.596{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95AD0BE6F3359495F8E819A4D042E5A,SHA256=9C0183E01CCE87F2C11287938013D499151B770DD4881FA283044AFC46736952,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:29.564{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXEHKU\S-1-5-21-3412628824-1499889274-2375607625-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8b7a4-0xac004c20) 10341000x8000000000000000318610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.564{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000318609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.564{D25361F1-D528-6305-3A01-000000007502}47604912C:\Windows\Explorer.EXE{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80199AF0CD8)|UNKNOWN(FFFFEE3886E17E08)|UNKNOWN(FFFFEE3886E17F87)|UNKNOWN(FFFFEE3886E12611)|UNKNOWN(FFFFEE3886E13FDA)|UNKNOWN(FFFFEE3886E12296)|UNKNOWN(FFFFF80199806503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000318608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.564{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb3f94d.TMPMD5=7C93E0E6DCAB68B9BCC4A82C8177A955,SHA256=A68F241C43CB569619FD463D3B05D59F2CDDBA1A0B0BFA98F8E433A34B35189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.549{D25361F1-D52F-6305-3F01-000000007502}4944ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nzjzgcj5.default-release\datareporting\aborted-session-pingMD5=5A09349283DBAA137E29D280C29294D3,SHA256=116CB94B4E5ADEDC681F3A5FDF63E8BBE0F29122668A56A9170873D0F5B06F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.024{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62235-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000318616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.024{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62235-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000318615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.015{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62234-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000318614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:28.015{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local62234-truefe80:0:0:0:68c4:7f64:ca7d:4ba6win-dc-ctus-attack-range-854.attackrange.local389ldap 354300x8000000000000000330354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:27.828{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:30.101{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DCE768E6C58380E6D4456951DF6AA1,SHA256=A70E9C53385CAC8D82BDE8BDEB069C5B2318140DC14ECE9AE694B6B2AB11A63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:31.200{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE5B157E01BEE587A391892A328E5E0,SHA256=6BACDA87F75CEE35CB96D6A1DB19C0028D9BF060700F9811D5A59B8DC6008CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:28.515{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56187-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:31.134{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C573B86F6314E207A3350C3C58E3C9,SHA256=80719A0AAB20756F3A601FC4C9A2F279219A19C141664E0731B4AE2AF1FDA183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:32.317{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D03E5481ADD17EDBF6EAF696C13BDB4,SHA256=E159F527246863720683E69F0C9FD835E2AB58320A5370321B4937B482124372,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:29.728{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62236-false10.0.1.12-8000- 23542300x8000000000000000330357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:32.234{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1165EF420C88F750B2397E5E82E7C7,SHA256=9FEAF61A4AC9B200B407CCDB74B503DA819899CE12B93470728AE10C97031066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:33.349{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ADC87DA117DDBDA0DF3311B322886A,SHA256=2F75D3A6F6AB7FFEB659A06EA9FF8950A3837F17105E2A45F05D5BE67573C2F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:33.337{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1FD0CBECFD365BD46F92A1E9708DA6,SHA256=171E26998A0BACFF3C7EA5B8E4075B882FFB751DB67CBEBB5467333DBE135DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:30.696{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56188-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:34.961{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\respondent-20220824071544-190MD5=851C1BDCE24799827A46BDEF84E24F69,SHA256=A8DDD79C01783B8DEB1232D16C99CDB7F1E65E5CC4C7A6D1B1EF45919D0A7BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:34.475{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F755D6204A509251AC30D5CD38869F5,SHA256=C7ED335E6F5DBEA3318C6A3895E2F6641DC534E607A1BD66D1E080993B88635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:34.493{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E27CFD99ADA24490025D1329FAA925,SHA256=6E0D8B9562A6B0CA21F3C436BC331C95B7D631763E410A2BBB291A20A93ACA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:35.984{F6DB49F2-D01D-6305-1D00-000000007602}2004NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f5693f3f9e2a3703\channels\health\surveyor-20220824071542-191MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:35.563{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B240CE0F9ABCBC5157A814038BA5C084,SHA256=7CE5D46E0DFE969F32DF71A3349B0A786759803F50E23ECB63919F884CB02E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:35.593{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1C115A33975228C6CCC894469604AA,SHA256=477FEE40E5CCC73779B4BE14ACFB3A11278015BEC87D14A53402056A60937C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:32.895{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56190-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000330362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:32.874{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56189-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.941{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B68EBC34EC2B10A6DAA0D8061DAB65,SHA256=582A442B15770250D22B1D74FC3BA7BED27B26B870E85E49C9EDB965FA0C83C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.939{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48281BD6A3680835C923FA7A417C4CB8,SHA256=F55ADFE840240B3769442720503ECDA02EA5C4A4DFE405BFD2B70B785872DAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:36.677{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0963A74642C12FE75EED03C5A918A7,SHA256=AED33F781BB1B688390FCAA0F726795C14BEE3FE32076CFBB9BFDF9508AF5338,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.371{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.367{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.363{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.358{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.354{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.351{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.346{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.342{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.339{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.335{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.324{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.306{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.305{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.304{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.303{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.285{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.271{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.238{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.224{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.208{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.203{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.200{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.196{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.193{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.184{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.182{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.178{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.174{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.172{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.168{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.157{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.153{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.145{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.135{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.131{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.124{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.121{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.110{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.101{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.095{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.083{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.076{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.068{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.042{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.036{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.028{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.020{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.013{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.004{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 10341000x8000000000000000330366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:36.000{F6DB49F2-D1B7-6305-CA00-000000007602}48602512C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D35A190) 23542300x8000000000000000318627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.792{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D7A48102DAC62C4694677E6CE8E264,SHA256=D714F9CA33E6DD46B151E834960B7DAC96FB7FBEC676B2DFDCF85EBC9343300C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.745{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A314DCC8A05D9C4249324A7D640AA0F8,SHA256=E60B376662289E9D140FCDE054FB6A7B8AF45C4A9C565E809CD8EA4D8345D8E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:35.099{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56191-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 354300x8000000000000000318625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:35.587{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62237-false10.0.1.12-8000- 23542300x8000000000000000318630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:38.809{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6C8A1E693373A3177696EE330E3D03,SHA256=48EF0979131B0B6FF3C02972F19094AECEDAF4ED0C42550FCDA5E0127989388D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.356{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.356{F6DB49F2-D01C-6305-0B00-000000007602}6244776C:\Windows\system32\lsass.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.351{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000330425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.350{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000330424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.348{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000330423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.347{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000330422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.346{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000330421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.345{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000330420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.344{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D1B7-6305-CA00-000000007602}4860C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000330419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.039{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E25692BB7EE318F903D21A4ABE1FFDB,SHA256=FF1BCE25BE1F9F75341DC093163B1B7F5ACC858347C4B28E9EC1B0A16BB8759F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:36.825{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62238-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local135epmap 354300x8000000000000000318628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:36.825{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62238-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local135epmap 23542300x8000000000000000318662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:39.292{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11340ED7D9530283E9A2939573EF598B,SHA256=9B2D7682CE7B4CC92198B4686ADAC630E0B5C4F3DBFCC349DA7FDE367D8D7737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.695{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local60486- 354300x8000000000000000318660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.695{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local56096- 354300x8000000000000000318659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.694{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local57291- 354300x8000000000000000318658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.692{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62626- 354300x8000000000000000318657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.692{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local62626- 354300x8000000000000000318656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.691{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local60755- 354300x8000000000000000318655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.689{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local57242- 354300x8000000000000000318654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.684{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local59115- 354300x8000000000000000318653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.683{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local55332- 354300x8000000000000000318652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.682{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61843- 354300x8000000000000000318651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.681{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local60903- 354300x8000000000000000318650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.680{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53065- 354300x8000000000000000318649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.679{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local51405- 354300x8000000000000000318648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.677{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local56456- 354300x8000000000000000318647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.676{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local60276- 354300x8000000000000000318646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.674{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local63067- 354300x8000000000000000318645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.673{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local65535- 354300x8000000000000000318644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.672{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local57024- 354300x8000000000000000318643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.671{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local54206- 354300x8000000000000000318642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.670{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53621- 354300x8000000000000000318641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.669{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local51335- 354300x8000000000000000318640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.667{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local54715- 354300x8000000000000000318639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.665{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local63156- 354300x8000000000000000318638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.664{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local56093- 354300x8000000000000000318637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.663{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local65535- 354300x8000000000000000318636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.662{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local56110- 354300x8000000000000000318635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.662{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local56110-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domain 354300x8000000000000000318634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.661{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local51335- 354300x8000000000000000318633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.661{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local51335-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domain 354300x8000000000000000318632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.655{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62239-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local49666- 354300x8000000000000000318631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.655{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62239-false10.0.1.14win-dc-ctus-attack-range-854.attackrange.local49666- 354300x8000000000000000330431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:37.396{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56192-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000330430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:39.141{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A40F16F3C1A783041AE238C2370A25E,SHA256=59A581F48222A9AFDE2F69D18347B70990564FE7443BB392813778E450F63E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:40.409{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45B75612B8C606AD7DA4B9A61239DBF,SHA256=574A7C243D8563476893F9D4365DBACDCA33D38671B964E16A4067A3E16B62C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.707{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local54624- 354300x8000000000000000318670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.706{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local56089- 354300x8000000000000000318669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.704{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62705- 354300x8000000000000000318668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.701{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local58984- 354300x8000000000000000318667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.699{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local51870- 354300x8000000000000000318666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.698{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local61809- 354300x8000000000000000318665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.698{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53960- 354300x8000000000000000318664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.697{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local60028- 354300x8000000000000000318663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:37.696{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-854.attackrange.local61322- 354300x8000000000000000330433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:38.847{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:40.237{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC397E7E103D55396D5413F0FC0ED13,SHA256=35A640D3A9E01CF71B899DB94B138B7384D290BC12070EF33EFF3E9FAD674E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:41.612{D25361F1-D01B-6305-1000-000000007502}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D636841E8B418A831B2601691B554DE6,SHA256=654CB0279AE551D6F3CA42569BD2854B2238B9984C97B36CFC58D50282540788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:41.390{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C92E7BE78F69F935F517DC02CB5036,SHA256=F13CA987407FE494073ADB96ACC8288BB5927CBDEC74A7AC49644D4C7BB0C61A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:39.699{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56194-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:41.387{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55218E3DCE3EE197D0E23E2352E44399,SHA256=A779186D886A0D755A03B10F2E4A90ECB6124C2D058FD0105AB4E16EC0278C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:42.579{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8210BD7120FAAFA34180271355116C,SHA256=71019E071A36CFFEF4775A4096EC001411AE8AFBEBB6295FCE057894332DD322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:42.518{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6447995FD8DB98EAF3897568243880,SHA256=881F39FA025B5F2525C55323F723E45B9866F597EF16DF2510EA6B928545479E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:43.662{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0B6EB4BB28A8693B311B613382454D,SHA256=B51B43D9C7EFBB65D1400339B9ACEBDA1DF0DDF336B662C2F979711D44E08ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:43.637{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79994A445CEEDA03DB07F5C050393C6D,SHA256=F764873336D9A22C9B2FE870426DC5D313791E95141DBFEE36FC03898E45CAA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:41.996{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56195-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:43.055{F6DB49F2-D01D-6305-1200-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=08765D43F3C1283FB56AA9D4F194165C,SHA256=5FA8EB5F6CD3D1570863FAA44764348D08A4598388693CFD434CCCE6B0DFA137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.768{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C1B0F77317C0C91935E6B37C263E0E,SHA256=C2E8D135E151EBA462A6541618A6ED6057812964FEFA179BE8B748C91384DF6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.693{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.682{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.679{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.678{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.676{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000330441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:44.817{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=034024099B93D4CE4EC85DF5DF56C7CC,SHA256=40150E0A0A7C68FF470300BC6791DDE55E52FD6898FD91CC64093C6C1F346EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:44.637{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0648691E9CDFEBFA51D2A32267C1510,SHA256=39353E85A92682E84243857C3B0F0D0AB391E38738175CC2D62E8FA82C7BD780,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.648{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.643{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.625{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.620{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.608{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.598{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.586{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.575{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.569{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.559{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.546{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.486{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:44.478{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 354300x8000000000000000318677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:41.624{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62240-false10.0.1.12-8000- 23542300x8000000000000000318702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.730{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81703774DF5B6BF1CB8276AF755FC9C4,SHA256=7B72D9F3A6D8B941CEBAAC9E6B362CF35FCCA26B5EDFE069921F2001203ECDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:45.757{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDFCAD5867A9F5F16480C8CFC017E3B,SHA256=DDA7E9DE50460450352AB270E0E2A3583C61AC9D99D9383F9091EE90165AA21C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.108{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.106{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.102{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.099{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:45.097{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000318704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:46.845{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED121F8C0F3FB13A999A33CEC1AEB0A,SHA256=DB25B5A66C7AC7BC0F0B1FB63B8BB18D30E1B32EF323F2E03AD6295DD5A83F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:46.889{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F008B4BB93A95BB06CB9DF7C2E6E369B,SHA256=EB202B20A4E9DE1DED07C1423B0DDD9B11A210036444B48D397A87BE52959B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:46.612{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\respondent-20220824071555-190MD5=C398FF44BA8F43AD7A8029B76E2C1EF5,SHA256=4C6F81E45944D54744100C2EB299BA71940A7EFCD2CB181986B74886844E8C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:44.875{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000330444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:44.560{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56197-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000330443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:44.165{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56196-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000318768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.864{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.863{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.861{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.861{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.857{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.853{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.847{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000330447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:47.988{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B4CCB49F255BC7051D2D27CD7386F9,SHA256=4CB3E37EE598400287135F771370CEFFD0714000FEE24745D4E7313DEB2BF7DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.842{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.838{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.835{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.832{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.824{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.792{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.783{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.772{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.759{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.759{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.759{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.759{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.758{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.757{D25361F1-D01B-6305-0D00-000000007502}884904C:\Windows\system32\svchost.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.743{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.737{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.729{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.724{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.722{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.719{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.716{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.713{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.712{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.710{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.707{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000318710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.630{D25361F1-D029-6305-2800-000000007502}2624NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0598500b965caa157\channels\health\surveyor-20220824071553-191MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.187{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.183{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.168{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.167{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000318705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.161{D25361F1-D530-6305-4001-000000007502}40321080C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000318770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:48.130{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D449CE1531D7CF8065FF6199BA30BEC0,SHA256=E5B30611412CC6EE827B94665C1B4E338FC89292A203F9000AB548C1AA620845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:48.130{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC8160E8092AD19C9D93342FAD15678,SHA256=472CAD65200D9222603E4E36E5341728727C46AC9BA05843B4754583DF960383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:46.436{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56199-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000318772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:47.625{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62241-false10.0.1.12-8000- 23542300x8000000000000000318771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:49.044{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E8F096F0BF0EAEB5B3A5D31812303,SHA256=89A48E18A174F70419327D3268E877CDF6DDADA7433A17DBAD1BE4CA6C1AB06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:49.074{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D579A662B7A98217E6C938B7744F73,SHA256=9F2C3F473A5049F35D3ED17703DB36059E490901AD8C9BEAB9877DE32CEA8AAF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:50.990{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\DeleteFlagDWORD (0x00000001) 11241100x8000000000000000318774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:50.990{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txt2022-08-24 10:31:50.990 23542300x8000000000000000318773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:50.175{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB7158DC8B9FCF769B7E0994B294F7C,SHA256=2D7FA52827E3FDCBB48888ABD44C82F5BA00E570EC8DDAD65D1476B49AC6664F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:50.202{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6428D6B7140FE1572659735469CDAAD1,SHA256=15B4E27BCA35F6010EE941F632BE2A5056EEB3EE73C51DBE33260AEDD683A4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:51.408{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11F2160F9B82707356723659FE5CFCE,SHA256=8CBB8ADA4BEC1AA73C8E8F1340B0A574D5E33403509F24FFFA7E8AE036FAB7B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:48.650{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56200-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 23542300x8000000000000000330451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:51.304{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527892F82E0E5FDB3C6D4AB0783BAA6F,SHA256=D940BE03450F411588AA222C55B2B09903A33DA1AD4E01956EA958F62512F8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:50.990{D25361F1-FDEB-6305-2706-000000007502}6504ATTACKRANGE\AdministratorC:\Temp\upload_files\c2_agent.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\EDP37FQ8\cmd[1].txtMD5=11475BB6FB2B7A5489CD175A102D20F9,SHA256=D8902B72614E04692CC287533EAD84328CCE62BA1CDB0E2D32B498ECEAEDCF6E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000318776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-SetValue2022-08-24 10:31:50.990{D25361F1-D019-6305-0A00-000000007502}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\malware-test\StartDWORD (0x00000004) 23542300x8000000000000000318779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:52.490{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364D3CE9A35D920C3F6D4CF7DEA76C2E,SHA256=F68688475ABF20261F26CF2BC6EC81C9B00AC4BF6EBE6F32F1207C3628DF8687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:50.965{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56202-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000330454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:50.894{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:52.421{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504586048903521FA6BE4CD5DE08428E,SHA256=DC16BF442F0F1384C75CC5CED253B420FE0AFECB55541EB2250D490C4C30C98E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:51.485{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62242-false10.0.1.16ip-10-0-1-16.us-east-2.compute.internal8081- 23542300x8000000000000000318780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:53.589{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE00BCEA31EC0F3591D2AB27795D84B6,SHA256=25AFD0AE4375135BFA12A74F641B7EEB007E24D44D0432DD337D95C5F622DBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.559{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DA611F976073B70B2B5D96902ECA29,SHA256=35D0761CB162ECA205110937F0361E13E0EF756194C302B82DDF5F36F71D6D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.559{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B14E69A636C07EB79B54E6ED331516,SHA256=4251CC3D5B323DBDF5F16F2B9B0261C41AE2F274C33F8365723821542F061961,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.375{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000330510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.375{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.375{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.220{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000330476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000330465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.205{F6DB49F2-FE19-6305-7A06-000000007602}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:54.683{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFB848E97C9DEA8ED1302275D7C7DA0,SHA256=F7AFBD7CA15708B3245B089D7C7485ED94DEEAC879E2274EA0875D0AEEEA307E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:54.673{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AA64820E5C199BFF4C84FE3554AB5C,SHA256=6D24BECEB08DC379E59BBF9BC718B8D73F88348C84F5238C7E8C268AFAE25DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:54.285{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52DA949C3469CF393F5E274012F72772,SHA256=86F324220C525B4B26E3863FC6833EB2E03C13BD6F949889D831930AC58BCE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:54.285{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0207EA6D1347BA976AA1C5381B54E2BE,SHA256=09FD27AF123C8AEC8FC39E933FAB19CC4E801BC74D99BA1626CC11D8EB94B0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:55.789{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A597D17DD9E337EC4A4DB057301E1BD,SHA256=53EEE50D590F8483FB576FFAD6E5F246B1880430FB6EA7697B57DA60EEF15ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:53.584{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62243-false10.0.1.12-8000- 10341000x8000000000000000330576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.995{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0B00-000000007602}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.992{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0900-000000007602}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 354300x8000000000000000330574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:53.238{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56203-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 10341000x8000000000000000330573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.667{F6DB49F2-FE1B-6305-7B06-000000007602}52804744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.667{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.667{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000330561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.530{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000330546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000330534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000330528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.514{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.515{F6DB49F2-FE1B-6305-7B06-000000007602}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.414{F6DB49F2-D01D-6305-1C00-000000007602}1928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A0A2672BBD8BA2E38A5DC189ACB468B,SHA256=91FA943B5AF0FB3A2E1BBC29070E8A837B2B6101BF763ECB36C442512267C49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:56.727{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C96F08360322F39F13346E00A6983B,SHA256=0C2BD518766E9AE2098A6F914B8BC2D9612601259D20180266B597546799F034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.583{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F903AA4DFD739D3F35B68DC0A5D8FDB,SHA256=1A1AE34442E391B81E6A55CC3632D4C49086AB762783C19F757E532211A011F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.461{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-F77A-6305-B405-000000007602}2380C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.458{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.455{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D684-6305-A301-000000007602}1364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.453{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D675-6305-9801-000000007602}6080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.450{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D661-6305-9701-000000007602}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.447{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D65E-6305-9601-000000007602}5656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.444{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D658-6305-9501-000000007602}4700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.441{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9201-000000007602}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.438{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9101-000000007602}3284C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.435{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-9001-000000007602}5220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.427{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8F01-000000007602}5488C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.410{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D657-6305-8E01-000000007602}5876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.409{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D475-6305-4B01-000000007602}5560C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.408{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-ED00-000000007602}1120C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.407{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1E8-6305-EC00-000000007602}4524C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.395{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C600-000000007602}4288C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.385{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AE-6305-C500-000000007602}4192C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 734700x8000000000000000330675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.376{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000330674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.375{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.374{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000330672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.366{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-C400-000000007602}3272C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.359{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AD-6305-BD00-000000007602}3084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.351{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AC-6305-BA00-000000007602}3128C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000330669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.348{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4C52C5518B3C54188E3339B0CD9B08,SHA256=2115D5D5FA6FB98228317E76408B85342CEE09919AAF4634741ABE66C9252B41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.347{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B700-000000007602}2720C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000330667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.345{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C020CA806EDD24D040CA7187CC7B6B,SHA256=264058CB6B3AF451AC4D46D94A9C618A613053C02A647F511599C155DB6CDB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000330666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.345{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D1AB-6305-B500-000000007602}492C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.342{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D097-6305-8500-000000007602}3932C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000330663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000330662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000330661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.287{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000330660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000330659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.286{F6DB49F2-D1B7-6305-CA00-000000007602}48604892C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000330658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.205{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.205{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.204{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.203{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.201{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.201{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.201{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.200{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000330649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000330627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000330624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000330623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000330622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000330621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000330618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000330615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000330609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.178{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.179{F6DB49F2-FE1C-6305-7C06-000000007602}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000330601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.151{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D02F-6305-6D00-000000007602}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.148{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.148{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3E00-000000007602}3024C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.145{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01F-6305-3D00-000000007602}3040C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.144{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2C00-000000007602}2948C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.142{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2600-000000007602}2624C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.140{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01E-6305-2500-000000007602}2348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.128{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2100-000000007602}1704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.124{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-2000-000000007602}352C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.119{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.117{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1D00-000000007602}2004C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.113{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.107{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1800-000000007602}1752C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.105{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1700-000000007602}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.093{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1600-000000007602}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.085{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1500-000000007602}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.080{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1400-000000007602}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.073{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1300-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.066{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1200-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.058{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1100-000000007602}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.031{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-1000-000000007602}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.026{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0F00-000000007602}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.017{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01D-6305-0E00-000000007602}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.010{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0D00-000000007602}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 10341000x8000000000000000330577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:56.001{F6DB49F2-D1B7-6305-CA00-000000007602}48603856C:\Program Files\Aurora-Agent\aurora-agent.exe{F6DB49F2-D01C-6305-0C00-000000007602}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200610) 23542300x8000000000000000318786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:57.758{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E4F216DEBC35CF46911A061DEC50ED,SHA256=A561A453816C67A2AD82A366C1FEAA690AEA1ECA1D0E487659715A6D2D5CEB8B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.867{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000330751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.867{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.867{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000330749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.977{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56205-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000330748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:55.523{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56204-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 734700x8000000000000000330747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.683{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000330733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000330715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000330711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000330708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000330700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.667{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.668{F6DB49F2-FE1D-6305-7D06-000000007602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.014{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0B86333636918ABDADB62B8D4F03CD,SHA256=59B39BF288B030EF75B1606BDA42064244C2D64635AD7847411E61224DEF9D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:58.888{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52449AB039B91D420B9D2405EA32F41B,SHA256=A35B7B1D798CB251199814A90B5581A3B799EBB44D48B3314C5B492030AF132D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.983{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.983{F6DB49F2-FE1E-6305-7F06-000000007602}3724972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.983{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.983{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000330862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.967{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40254651B0077E8ECFEAE29E94C7669,SHA256=431BEB88A19505089DA7286C85F7BA160BE98165E20578E2F29823492D55DE2D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.829{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000330823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000330821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0500-000000007602}408940C:\Windows\system32\csrss.exe{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.814{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.815{F6DB49F2-FE1E-6305-7F06-000000007602}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000330809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.439{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.438{F6DB49F2-FE1E-6305-7E06-000000007602}56644124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.438{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.437{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000330805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.296{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.296{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.295{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.295{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.293{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.293{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.292{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.292{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.285{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.285{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.283{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.283{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.282{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.282{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.282{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.282{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.281{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.281{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.281{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.281{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.280{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.279{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.278{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.278{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.277{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000330768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.276{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000330767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.276{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.276{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000330765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.276{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000330762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.275{F6DB49F2-D01C-6305-0500-000000007602}408524C:\Windows\system32\csrss.exe{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.274{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.270{F6DB49F2-FE1E-6305-7E06-000000007602}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:58.269{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A4E324174D85BBFFA40F668596CCE,SHA256=7EF17D6C23B565EF9E5F35EB924C7D5AF0D4BB0C0541D147CA31265FDA29CA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.930{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA751051E230F4DEB44D74A7A0AD7AC,SHA256=F3C7806DEC951CF0E69B5F795D8E6AE9CC6CF96E081D02DCD654B169DAD52526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.898{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5DDC79A8CE1E5CAA5D51157CEFF997,SHA256=8594A9276916860E5CB82F177F11AED002E920670B471B619115CED90B0FBF85,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.667{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000330924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.667{F6DB49F2-FE1F-6305-8006-000000007602}23445068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.651{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000330922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.651{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000330921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:57.692{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56206-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.573{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82851A1532368D589DB1A9B235BD0CBD,SHA256=CF23C2247106AB9B20A2ABF1F21B8285F79BD8C74BCFD3C6D4BB1C90E8D1FB99,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000330919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.509{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000330918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.509{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000330917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.508{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000330916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.508{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000330915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.506{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000330914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.506{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000330913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.505{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000330912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.504{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000330911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.497{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000330910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.496{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000330909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.496{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000330908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.496{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000330907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.495{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000330906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.495{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000330905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.495{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000330903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000330902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000330901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000330900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000330899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000330898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000330897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.494{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000330896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000330895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000330894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000330893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000330892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000330891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000330890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.493{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000330889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000330888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000330887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000330886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000330885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000330884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.492{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000330883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.491{F6DB49F2-D01E-6305-2C00-000000007602}29482968C:\Windows\system32\conhost.exe{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000330881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000330878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000330873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.490{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000330872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.489{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000330871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.489{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.489{F6DB49F2-D01C-6305-0C00-000000007602}7205912C:\Windows\system32\svchost.exe{F6DB49F2-D01D-6305-1F00-000000007602}2032C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.489{F6DB49F2-D01C-6305-0500-000000007602}408424C:\Windows\system32\csrss.exe{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000330868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.488{F6DB49F2-D01D-6305-1C00-000000007602}19283984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.484{F6DB49F2-FE1F-6305-8006-000000007602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F6DB49F2-D01C-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F6DB49F2-D01D-6305-1C00-000000007602}1928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000330928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:00.533{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A730D897B5A7CFA2A6498E4AF88D88,SHA256=017C7DFAFFBBCE81860E5E8B57783B45BCE8F515A9977DCB9176A7F46CA03D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:00.005{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1325D849D49C798B661C5ADB43FB6B,SHA256=99F68A6283A115E26D2FD5B51505CB457658C2A546FD4F94C1FB2B7EE83C92ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:31:59.877{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56207-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:01.631{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08CDE4A2FB39E46063D0D169F5E63DD,SHA256=4F46A4783B2B108666F29971AFFE4E693BEF9C0694A532BC05C0576F90B13E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:31:59.536{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62244-false10.0.1.12-8000- 23542300x8000000000000000318789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:01.305{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A684B0A41E4A52F99941443B3099BA80,SHA256=BD40144BF7D069120687FB610864DC0ECE91D2064F6CF0BD6AC703DEF3EE3924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:02.750{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B7EBED019E905AFAE4687EBE08B170,SHA256=E00FB087127103214AD23DDE4F4A460F849445839E8AA30ACA3D2B1F4066D52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:02.439{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1537DE04DDB480000765C3BBC5639B9,SHA256=6B88057D74DC110C411FDFFCE618A9748AF2728E9389B8FABAB76A9E6BC9C612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000330934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:03.800{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0977DBE988D7BBEAFBAA77387C52A4D7,SHA256=5BE80AC41373981D0CC865F7E3448422D64BB91B825428AED7EEDFD2EE1D17B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:03.554{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDF81E43E5CD79315438FC9643DFC47,SHA256=D64DB99C4CC360D6F9FDC341B62210FEB27BD408F2B6E7192860D2DE2FA0E8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:02.148{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56209-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 354300x8000000000000000330932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:01.989{F6DB49F2-D028-6305-6200-000000007602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000330935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:04.915{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD99C3C69BC62758F0CDA9DA80BE2FD,SHA256=3F62E558F500FE8B43399701BBA37C01452C14BA4770FC0DAA6CEC6ADD38FF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.661{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90280FAE4A2A12A885014C134793B516,SHA256=20C6DC8F06E740A14E6B3472EDD2793100301813A04468C7E4FAD3DAA41EC772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000318810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.647{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2600-000000007502}2604C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.635{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2500-000000007502}2516C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.631{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D025-6305-2300-000000007502}2368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.629{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01C-6305-1D00-000000007502}2096C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.627{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1700-000000007502}1392C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.601{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1600-000000007502}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.592{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1500-000000007502}1244C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.577{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1400-000000007502}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.572{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1300-000000007502}848C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.565{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1200-000000007502}684C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.557{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1100-000000007502}380C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.549{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-1000-000000007502}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.539{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0F00-000000007502}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.533{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.524{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0D00-000000007502}884C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.517{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D01B-6305-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.469{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0B00-000000007502}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.466{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D019-6305-0900-000000007502}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000330937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:05.967{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A673EE2D6F157DDEA2111259E8646C9D,SHA256=1292092E6728DF68DE7F7B5CF74E6AD6407FBFDDDEFF12A060A482FF4D801C8A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000318864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.889{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000318844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000318829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000318825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000318822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.873{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.875{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000318817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.814{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32CA3A1471906881D4FF0543FDBFEB1,SHA256=28AC9E2F353CD47CEFC42DC8618282B5ED1EF06A86BD250697B1810AB18C28C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000330936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:04.346{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56210-false18.67.39.6server-18-67-39-6.yto50.r.cloudfront.net443https 10341000x8000000000000000318816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.110{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2C00-000000007502}2768C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.107{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2B00-000000007502}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.104{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.100{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:05.097{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2800-000000007502}2624C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000318922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.985{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F048BA44E089622551A6907B125DAD9A,SHA256=B1ABB9F9DAA3B6470BB9EAA1D0C1E507548DE94F8A947D6EF14320DAE46724BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000318921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:04.734{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-854.attackrange.local62245-false10.0.1.12-8000- 734700x8000000000000000318920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.788{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000318919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.788{D25361F1-FE26-6305-2D06-000000007502}56684656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.772{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.772{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000318916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.586{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000318894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.570{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000318881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000318880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000318875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D019-6305-0500-000000007502}408524C:\Windows\system32\csrss.exe{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.555{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.556{D25361F1-FE26-6305-2D06-000000007502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000318868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.039{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000318867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.039{D25361F1-FE25-6305-2C06-000000007502}58842036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.039{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:06.039{D25361F1-FE25-6305-2C06-000000007502}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000330938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:07.048{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BAC084CB824231A4BE59EC9AE06384,SHA256=628F44D548B771C8A11DF5980008883895C5FED49C412F080FC74CA2D48D1F81,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000319054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.934{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000319053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.933{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000319052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.932{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000319051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.932{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000319050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.930{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000319049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.930{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000319048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.929{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000319047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.929{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000319046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.923{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000319045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.922{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000319044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.921{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000319043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.921{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000319042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.920{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000319041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.919{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000319040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.919{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000319039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.919{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000319038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.918{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000319037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.918{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000319036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.918{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000319035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.918{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000319034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.917{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000319033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000319032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000319031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000319030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000319029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000319028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.916{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000319027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.914{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000319026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.913{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000319025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.913{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000319024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.913{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000319023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.912{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000319022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.912{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000319021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.912{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000319020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.912{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000319019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.911{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000319018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.910{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000319017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.910{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000319016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.909{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000319015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.909{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000319014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.907{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.907{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.906{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.906{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.906{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.906{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.900{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000319007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.813{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-FDEB-6305-2706-000000007502}6504C:\Temp\upload_files\c2_agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.812{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F93F-6305-9C05-000000007502}6740C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.811{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8E05-000000007502}588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.810{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F902-6305-8D05-000000007502}860C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.809{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-F76E-6305-5B05-000000007502}4112C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.805{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4701-000000007502}6132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.797{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4601-000000007502}6056C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000319000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.795{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D533-6305-4501-000000007502}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.792{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4401-000000007502}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.789{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D532-6305-4301-000000007502}5476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.787{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4201-000000007502}5180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.780{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D531-6305-4101-000000007502}5124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.760{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52F-6305-3F01-000000007502}4944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.753{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D52A-6305-3C01-000000007502}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.743{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D529-6305-3B01-000000007502}5024C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.722{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-3A01-000000007502}4760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.716{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D528-6305-2E01-000000007502}4140C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.707{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D527-6305-2B01-000000007502}1784C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.702{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D526-6305-2601-000000007502}1760C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.699{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D525-6305-2301-000000007502}2352C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.696{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D0A3-6305-8900-000000007502}3516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.693{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D03B-6305-7B00-000000007502}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.691{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D034-6305-7100-000000007502}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.690{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4500-000000007502}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.688{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02B-6305-4100-000000007502}3496C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.687{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3800-000000007502}3236C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.386{D25361F1-FE27-6305-2E06-000000007502}39044176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.386{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000318979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.386{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000318978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.246{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000318977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.246{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000318976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.245{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000318975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.245{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000318974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.243{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000318973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.243{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000318972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.242{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000318971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.242{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000318970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.241{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000318969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.235{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000318968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.235{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000318967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.235{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000318966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.235{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000318965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000318964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000318963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000318962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000318961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000318960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000318959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000318958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.234{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000318957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.233{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000318956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.233{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000318955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.233{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000318954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.233{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000318953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.232{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000318952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.232{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000318951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.232{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000318950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.232{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000318949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.231{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000318948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.231{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000318947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.231{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000318946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.231{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000318945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.230{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000318944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.230{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000318943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.230{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000318942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.229{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.228{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000318940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.228{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000318939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000318938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000318937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000318936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.227{D25361F1-D019-6305-0500-000000007502}408424C:\Windows\system32\csrss.exe{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000318932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.226{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000318931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.222{D25361F1-FE27-6305-2E06-000000007502}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000318930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.179{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D02A-6305-3400-000000007502}3120C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.178{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-3100-000000007502}2040C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.163{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2F00-000000007502}2808C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.162{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2E00-000000007502}2800C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000318926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.155{D25361F1-D530-6305-4001-000000007502}4032572C:\Program Files\Aurora-Agent\aurora-agent.exe{D25361F1-D029-6305-2D00-000000007502}2776C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000318925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.024{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746D362C293CBACD527DD0E3B3F9E75B,SHA256=DDCF3FC78E1251EAB10B9B01AD1021E52B2C0B48523A0010B6264413394F7C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.003{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571544C4AB26EBDF1AE421C1C1F0A53C,SHA256=8B898355F2FDC9DBED65791F69B44DFF181437B12D1D294CB8E91AAC03ABD475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000318923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:07.002{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0FD60FE43AD565A9EF315A9C63FA34D,SHA256=67B9BE309B5CB46ABD7CDCDDFC2C2C7A05FFB45B23A77839BF757E69B15CC449,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000319116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.608{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000319115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.608{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000319114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.608{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000319113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000319112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000319111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000319110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000319109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000319108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000319107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000319106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.455{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000319105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000319104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000319103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000319102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000319101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000319100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000319099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000319098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000319097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000319096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000319095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000319094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000319093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000319092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000319091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000319090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000319089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000319088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000319087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000319086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000319085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000319084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000319083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000319082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000319081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000319080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000319079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000319078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000319077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000319076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000319075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000319074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000319073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D02A-6305-3800-000000007502}32363256C:\Windows\system32\conhost.exe{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000319072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000319071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000319070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000319069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000319068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000319067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D01B-6305-0C00-000000007502}8286764C:\Windows\system32\svchost.exe{D25361F1-D029-6305-2900-000000007502}2672C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D019-6305-0500-000000007502}408404C:\Windows\system32\csrss.exe{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000319063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.439{D25361F1-D029-6305-2A00-000000007502}27483320C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000319062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.440{D25361F1-FE28-6305-3006-000000007502}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D25361F1-D019-6305-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000319061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.170{D25361F1-D029-6305-2A00-000000007502}2748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F84420A13C1FD92C3867F705F86C9ABC,SHA256=4C069036B8881C67C53D81C43A51F3D52101A76869B503D533CED91747A42D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.123{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFA2AC06F9A8548D90AD7A32009D0E0,SHA256=B635900D6CD9C0102CA39C85BA47A47712260443928744067EB1EBA19B3E277E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000319059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.104{D25361F1-D03B-6305-7B00-000000007502}3164NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AA5D66DF09BDDE20DB733A032C3E27,SHA256=DF6329F2FFC1062CA39C9FB419D16440D94209FCCC1C976C5773289E2A887738,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000319058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.070{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000319057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.070{D25361F1-FE27-6305-2F06-000000007502}53686868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D25361F1-D029-6305-2A00-000000007502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000319056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.070{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000319055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-854.attackrange.local-2022-08-24 10:32:08.055{D25361F1-FE27-6305-2F06-000000007502}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000330940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:06.646{F6DB49F2-DA7B-6305-1902-000000007602}5284D:\Onedrive_fotos.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-538.us-east-2.compute.internal56211-false18.67.39.46server-18-67-39-46.yto50.r.cloudfront.net443https 23542300x8000000000000000330939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-538-2022-08-24 10:32:08.148{F6DB49F2-D02F-6305-6D00-000000007602}3112NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0380013F2A12CB6605A1C047161CDA72,SHA256=AE1F408177D6D7F8754D7962CC7BA1B5D6D36F7817198E4C7F88AF34651E0C34,IMPHASH=00000000000000000000000000000000falsetrue