23542300x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.769{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE37C.tmpMD5=8473AC8F0011BB56B0BB1899E5CF15E8,SHA256=56F8C768C83464654B8F3762509362CC87ABAF960A3AF30CF697DD3F5CB1DC08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.753{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36C.tmpMD5=6028F2CD4EC2DAEF804C5354E38EF977,SHA256=88CBEBC76ABBA370B1985EFB0DD2EC86961E4C883CD7CC6457561940C7BF92A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36B.tmpMD5=AE6FBDED57F9F7D048B95468DDEE47CA,SHA256=D3C9D1FF7B54B653C6A1125CAC49F52070338A2DD271817BBA8853E99C0F33A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36A.tmpMD5=2A8875D2AF46255DB8324AAD9687D0B7,SHA256=54097CCCAE0CFCE5608466BA5A5CA2A3DFEAC536964EEC532540F3B837F5A7C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE359.tmpMD5=9B7427A803C8856E0EF56A5D14624310,SHA256=AC6C321EFE3016F8716731482C852C07431C384BCA190B23252AA424752D5BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE358.tmpMD5=D192F7C343602D02E3E020807707006E,SHA256=BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE357.tmpMD5=2DD3F3C33E7100EC0D4DBBCA9774B044,SHA256=5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE356.tmpMD5=635E15CB045FF4CF0E6A31C827225767,SHA256=67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE355.tmpMD5=2D84AD5CFDF57BD4E3656BCFD9A864EA,SHA256=D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE354.tmpMD5=379523B9F5D5B954E719B664846DBF8F,SHA256=3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE353.tmpMD5=5F243BF7CC0A348B6D31460A91173E71,SHA256=1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE352.tmpMD5=FC94FE7BD3975E75CEFAD79F5908F7B3,SHA256=EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE351.tmpMD5=DB7C049E5E4E336D76D5A744C28C54C8,SHA256=E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE350.tmpMD5=F732BF1006B6529CFFBA2B9F50C4B07F,SHA256=77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.347{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542A80E19B1B27B92AC08AB3195D0A69,SHA256=91889CC56A52979E924D9A0055FF274B6EB9C638A7F14BD5F52297F5C2B215FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:48.018{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9818EAD88BD49E62A8AA9176900931A,SHA256=DBB5119390054F423665DCF4A55F9892037CA216B14A075BD1839EEA43AF4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:48.452{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1867562975624D5BF738E3E799C208E,SHA256=B631FDE048C2FF272C792E76F4BA476C7F6B575C728E44093A0903C1F961B5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:49.098{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C78728C1ED334B8F475AE14DBBDEA94,SHA256=F8BE36BA318C1C8518F740B8303EF5DE3B0C5DB2982C74324ADD0BA5FB0893F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:46.085{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.540{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4779972C98D77A52B4E838E78E192E64,SHA256=57B3B1C437CE22607890AA4F9A22F5799C5B54F1A364CC1B9DFDDB85B00D4A0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:50.185{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8519817F395163A3210B633530C293B0,SHA256=21BA8DA48C7AA2078034A7FB35BCD00893016746D2A3792374E45B5E468D5872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:50.630{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951F612E74D1E65571743A47A24DAC3F,SHA256=F9BA2F164BC2AE828CFBF82054AF723B5915080CD59D970944C7A23D962BE334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:51.279{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5500D97F65CFA8D281CC53DBF175E14D,SHA256=0F2E9A7C3C343D3664776C3E16C2F19F75E9F62B2A96496004546772724B7663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:51.710{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB11D391D54FB2F42A38B3DE23E00DE2,SHA256=4639C33611DF3F8D6AA834911FA1A1F3D8783D078C4807AFBC81E92B7A93C61A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:48.817{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.572{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D27A2B68459EB25D0543FCE8E2AED46,SHA256=C2AF9C0093701B0E65C35CFFC545942D0568AE7F6D8E3A5700485E9D2C7D56DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.364{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFBABA8285216292FEAA0B166590254,SHA256=02C3B109D3D612904B38070F14DB4AD16EB5DFDAC5E06AF425776DDDE1131D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:52.799{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B55AFA8C118467DC5BD677E3D2C444,SHA256=C1AC879640A5C12102B9410156E425ABE068983E9CC445C0D21A8BF54EA77279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.090{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:53.438{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380397158702DA80FDA8F23B250602F2,SHA256=992FCDECF04B8FFCBC5702E0C1575846E0F23747333B5031CF403068C846D954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.888{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDAB4B45127B384E60F0135472A749D,SHA256=435A99BFD017D76F5DFD0E204FB239812CBB84164B35AA9D07A59CF873D64776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.731{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.725{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.722{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.720{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.718{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.715{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.711{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.708{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.706{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.704{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.687{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.675{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.667{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.659{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.653{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.635{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.627{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.593{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.573{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.567{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.559{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.551{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.528{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6352EB615C30A2F32CBDB44881BDC4C4,SHA256=4E55AF611D176E2EAC27E2AF2548C260E7841BCF15A3393F86EBE8048A1BE0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.482{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.471{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.458{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.447{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.439{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:54.970{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75531FA88AFE540AEE51C18FD8915F57,SHA256=4500413FBD36A79ECB41D3E2297AB7D47321D7151BB08E80DE9BA76AF6F4151A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.428{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.421{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.416{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 13241300x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-SetValue2023-01-24 08:49:54.196{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92fd0-0xd41495fe) 23542300x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:55.880{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAD3A4F2ADC809F8B6B8D02BE94D550,SHA256=D43972F687EE31CCA2F659E4A080A7032E3A511E64AA5F95ED26CF333A9BA4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:56.917{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58ED12B2B3FC3D4684535D197034601,SHA256=78CEF82E0ABF902AC3479AB98BD5072F99E02BAC817CAC3E3B3442C71454F801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.925{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.925{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:54.610{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.049{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA9883A123D29C4302027EAED658BAF,SHA256=E6B5A20A8ACF0A3DEE369E9AD6B83A51702E5B14C34733693C5C3A865E3C28C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\Office16\sdxs\FA000000063\index.win32.bundle.tpn.txt2023-01-24 08:49:57.906 11241100x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\Office16\sdxs\FA000000062\index.win32.bundle.LICENSE.txt2023-01-24 08:49:57.906 11241100x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-24 08:49:57.906 11241100x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-24 08:49:57.906 11241100x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll2023-01-24 08:49:57.906 11241100x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll2023-01-24 08:49:57.891 23542300x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.141{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961C6C630DD296A491497BC16CE080E,SHA256=5594145C931B09272D12E117E8508D47409F512A14B7C7C4B37AE80B62ABD4B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:58.003{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86E57E25B56C886E8FB09886610DDAE,SHA256=9421152F5199991D62B903732803A4FAF741E091187DA5A6033D531A1AC9070D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.166{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60718-false8.240.208.252-80http 23542300x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:58.236{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C278F780865DBD32B05C3D59B99D5E,SHA256=D298C5B06896EA2F7D36AE5E44E5422AA04BC259F6690B3E8EC6C2703ED7841E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:59.078{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD77B85E3FC8F170AAD6A2C443A3C43C,SHA256=011E598F60D07110CA8ED400F4077BC9339C6F62A64CD553F17FB488CCF2B11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.465{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.325{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837E935E8DE8569C0F387F24CFB42BE3,SHA256=780271550980B45DD6622DA883719D57AB46A2D9AD4D279D84769E25EBE21724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:57.151{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:00.166{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC9FAAF79BBEEC416B661958AC70829,SHA256=0D9F44CEF9B1EF1E7EAEA42105F54565A5945B985D519722E82B6061DCE13C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:58.075{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local55711- 23542300x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:00.428{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67916A260B6AE0FD7E25F74E0E64F258,SHA256=583F4CF328DAADD15E19DA49AEA3B7BE35104EB0167F8FD99E19398AA4A14099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:01.270{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8506954FE7D14B22C5B9CAA6895278,SHA256=0E56FF8F83991C61671397E511322F98ECA57970EC0B9755FD070C174B7F429C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.782{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:01.517{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E278248D9C19A10EFF669DF70D35B26C,SHA256=481C34D8A0FB06C78C52175012274D73AC0245067E4CDA91EEB7C8A3371DB1C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:02.379{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B82A34468930267DDEE13C527EE2B2E,SHA256=839C3D047364692EEB19187E77A95242420A69825AEAC31362A66F45920CC3E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.876{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.872{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.869{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.866{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.861{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.855{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.852{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.840{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.833{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.831{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.829{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.827{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.793{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.787{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.773{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.763{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.758{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.748{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.737{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.727{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.720{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.706{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.696{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.651{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.648{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.605{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F337DDA22A7FE7E99EA6870BCEE7F2EC,SHA256=D8073BA5A8D5CFE0B50065D0E4A04AAA6FFDED8499D563B2A370269B603414ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.434{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:03.455{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFDE161482F5D7FD471FB34C31AC655,SHA256=8CC952FF383537D1681CFC759F812206D7EB532740FC27CF16BADD46F7880607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:03.640{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840C9E061B79F5E8F248096DBE535582,SHA256=1DF04571D322747238C676EC491265BC40602D77352A2C8B8853268DE686F3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:03.352{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:04.550{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BEF25721E00FD79F0199F65374062D,SHA256=9C8387ED3D4D84F2DECA7C17DF9A493583A140927843E2B88A704EFFF215144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:04.736{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9737E834E003F124BEB4B2AEE871A337,SHA256=6A69C78EB8DB0EB2C8C1B5C027923FE5970A822085D6022F5122357793EB6DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:02.156{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:05.633{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38597670FC4046FEFB79199C490D41B1,SHA256=528BDFC555C6B02C65309BF276B6D5C40EC7FD2DE0A739B262049B98563D9021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.989{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.967{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.943{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.936{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.928{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.922{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.920{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.917{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.914{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.910{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.904{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.902{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.900{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.898{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.801{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0234A98CB9E053EC05A01218EF8471,SHA256=295E7BE9DB312282AF77589307184BBD5E7923B5D023B02D815FCEFA3BF47F7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.381{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.378{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.304{DAC7F284-9928-63CF-1100-00000000B102}388NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:06.913{2EF863A9-992A-63CF-1200-00000000B202}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A58B6331966122A5DA5388A46BEA593,SHA256=8917A0B596B3E9A1946F646EB9276F346232927D6132BA6E6EE22C71C745BB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:06.710{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA020EB09E7CA62B8EF3C3E4EC4BBDC,SHA256=C7A19796E793F6B6826535C934B83700AAD24F32CA94CEA90F978B4DC71B5A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.969{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.905{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0AC2088B08548D039DEE6005C21877,SHA256=BB9880BC097D0DFD2D75BA7EA340F3DB54AD02B747B467AE36FA40406BCE01C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.780{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2DAE764B7857458B8B8F06999EC72C8,SHA256=026BFBCBC6C23012802FFD47574074E08AC689054A1BF82209615FB00651E7DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.218{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC5354446CCCFB00FF4539420291F6,SHA256=4F7194823DE43218636E2C47C8AF1766BF89B64DE4CCCD4A5B4FAAA13ADD9736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.073{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.071{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.046{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.028{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.006{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:07.793{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86485EC63291FBF5778A7DB24B0601F,SHA256=24266D2D00BD3FB5208B6D1A8D09D86508EC831438E4D9566F3B130C5C70D283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:07.989{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC26715B6A3E854391E42CCC362258F,SHA256=65619DE5AAAFB196F78790635A69858AE93553FDB26BB27ED72A25705640796C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.865{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4DCB709B8FED65C0E90D074D26456B,SHA256=236D8540C3E78FCA57C1962DCA3880F83B8DB284E33CA111B02B218458215121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.698{2EF863A9-992A-63CF-1100-00000000B202}936NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFa32f6.TMPMD5=E2CB32500431EF942111E447480ABD2D,SHA256=1981A2DA03F21A75184C52356779EC843CAB7AE59023CCB41579A0985DC1AA1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:04.783{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.939{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93311406D3DE9DE7518E626B247EA3E,SHA256=8E19758A77DA9357AEF33EB18F0FBD186B5232F21BC923265B49FFC13951AE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.710{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.701{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.698{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.698{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.557{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F2FD07B3B6364E8DE19A1EA2D95ED3B4,SHA256=0525B8C2BFDBD1B8CAE84FB3345B91F1FFE63EC31C00AF3C9AC6A71740F13296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.121{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.906{DAC7F284-9926-63CF-0B00-00000000B102}612828C:\Windows\system32\lsass.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.906{DAC7F284-9926-63CF-0B00-00000000B102}612748C:\Windows\system32\lsass.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.593{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.593{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.078{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9E59557EF6AA9A6A6D3ADC6A96980E,SHA256=31321AC60277B6448E2B0BA6BB4943972AA0BE27BE6F308500DFE5F2E3F01503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000045101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-SetValue2023-01-24 08:50:10.195{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92fd0-0xdd9df250) 23542300x800000000000000045100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:10.164{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63926572F765CEB149F5C4C52F7D41BA,SHA256=88236EAC568535CDBBCD8B1FBBBFF57A4DEDC278B180B011EBF59AA45918E4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:10.023{DAC7F284-9926-63CF-0B00-00000000B102}612828C:\Windows\system32\lsass.exe{DAC7F284-9924-63CF-0100-00000000B102}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:11.010{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B10CAB210C9EC294EF07E790335F5FF,SHA256=B4150AD9C4E44D6DE725656350CCF6D58F6CD5D8B48D1CB5FAFE12D54B78C404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:11.253{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A664270868200A5FB2F28C37B72F10,SHA256=1BD313D0E01AD19EC60CFBEB8A0FAB01747FAAC4DEA855E40483525D691E6CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.489{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60722-false10.0.1.14win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.489{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60722-false10.0.1.14win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.482{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60721-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.482{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60721-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local389ldap 23542300x800000000000000045102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:11.003{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A5B27E36919D654FCF2FD50A0BA52B,SHA256=232A8E175E7AE00C1701621406F613F82A4F5FA6160875600316422F760428EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:12.095{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE3AB8CFFDE527F24AF0DC8583C02EE,SHA256=C250237B63083DB8FDE82546D926F78F03DA133F0980E966F4ADC30633AA1C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:12.342{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB421357749C97EA1D6D01F42AA218A,SHA256=3DD5804FC8C642E9A519BD31CFDA776AECF07F2776725F62B581880767C56CC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.783{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000045109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.599{DAC7F284-9924-63CF-0100-00000000B102}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60723-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local445microsoft-ds 354300x800000000000000045108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.599{DAC7F284-9924-63CF-0100-00000000B102}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60723-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local445microsoft-ds 13241300x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000a470a) 13241300x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92fc8-0x7dff237f) 13241300x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92fd0-0xdfc38b7f) 13241300x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92fd9-0x4187f37f) 13241300x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000a470a) 13241300x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92fc8-0x7dff237f) 13241300x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92fd0-0xdfc38b7f) 13241300x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92fd9-0x4187f37f) 23542300x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:13.273{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C692C92DC934809ED8402E2722D60A4,SHA256=4DB0CDDA8820007C622A6B134C4E121920988EC1E4F61263FE413CF2A8537DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:13.412{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F499687719333F459054B394D6D40B74,SHA256=0D659EEED19D2736F714A06805EF0F3C7315351AECC9A728110126A11B7A670A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.869{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.856{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.840{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.835{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.833{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.822{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.820{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.819{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.807{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.804{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.787{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.779{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.767{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.751{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.744{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.689{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.686{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.645{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.623{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.610{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.594{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.575{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.476{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.458{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.456{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.448{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.448{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.447{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.445{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.431{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.360{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696A57335A3E75E08B1F097A8B23C097,SHA256=C2CAC386A4617F749667830E4220DE1EDC80EAD287846584CDBD407ECC9424EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:14.491{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D8CBEF7737CB0320ECC119E4A3C4B8,SHA256=737DD39CD5A240EA9C15FB793D3A788ACDA050FE578EC9681C537314C7AB1ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.135{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:15.733{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976CFDC5E8D84F08928C6BBC82676EC,SHA256=42165B69A82CB01B250ED41FC6F92132123E04852698CAC83990A870DCA91B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:15.562{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908B6175037AD974F32E926F174BED5,SHA256=31C707AC40C464AADB1E5177D59587654288753CE962E4B7C846155CEAB79A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:16.848{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E9D5D312645C2F01B50A0B189DCDA9,SHA256=BFA40145E0C6B38DF9209E3782DA838E6DE1F583E330C3C5CAD5C0E6CD5C663A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:16.662{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C724C9AEE149E902B844BFE72344181,SHA256=E81007265C1689E5BA1F26306517CFA389BDE7F4EFEAD77FA26E6EDB9DEAE711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.936{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5B7B9E24474527259D558E6E22B3F5,SHA256=BA2D7DBA1A7449374735E618F70ECD8EB4D0909B6227D1AE8E2951F1A68DD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:17.750{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F706B18A804CBA9E2DCC2D8F0F75D0A3,SHA256=F3554DD126D68051F591949F27BB6A7FC9E75D6631523318EB06B33B2D5EB8A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.633{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2100-00000000B202}1500C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.278{2EF863A9-992B-63CF-1600-00000000B202}12241492C:\Windows\System32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:15.656{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:18.839{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9729816383C07C885CDB383B44222,SHA256=1D3C1D67FF3002B1D9311A99A2EE4AC866F3957A6C93C4258E1269750D6065A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.230{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=AE88A13122C673039350C40B1B0E041E,SHA256=C1D055B3D58F80FC67E610F8F62395FDA9A09F824F12140CE137C7034EA20408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.027{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C027AE1F5FDB2D757BC88C1120A3968,SHA256=747B0649ACCCE5DDD6910FC970DC5D49B173B5823EE3DC8FE24102226B2648D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:19.928{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACCECBAB0882AE191066BB38337A1F,SHA256=C87B45E5A6DE9D4D0E2F42F03E7FA673D04875BAA923D38EEA29AB2E637F6BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.214{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.922{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.922{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.912{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDACBE7C87E9C8E5A85902CA6395AAAD,SHA256=DA31DE7A82B79DA4DB7D585721684C3B061E08414D7FCAAA983645E0E178BC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.212{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5498DB595A01420D4A96E586FF511605,SHA256=CCA8B2FCCF2A5F982AD660DE6BF6AF27E229A69F7C87BE59F16218EA3FCF859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:20.228{DAC7F284-9939-63CF-2D00-00000000B102}2668NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.361{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.297{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D81CA2C2B5FC8CF58F54168B1018627,SHA256=E05897FDDD53F7BDC1EDCB1D7BAA3A0AF3D5C560F8ECD1078CB569051BBF764A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:21.833{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F48E0F3C6CBCCC7DE60C972E591F6C9,SHA256=ABF8A0B6BE4234BB3D37E7800559BB86B7B05DEA6B2F3C47BFD22596A0960C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:21.020{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD50CF70C5EB7990A795BDD746181DDB,SHA256=F5253CE76D349BB4CF2E7418CAE134F668AF130041DC294CEA61E7DB7F6F68BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.095{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=A51F41036AB5C59544D5A46A72C81F30,SHA256=38D874FC237D5C9DBC01A1811463713D75C0661B4456E9BECEFD1E5C2EA54728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.000{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1F879A20972B7AE7E6913D66DFE1B402,SHA256=29B10739BD7023F926E459D95E30BF9EF9023216AEFADFB53CE35662EBBCB6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.972{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.722{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AA474107658A69ECCF495FCEFD9642D8,SHA256=8A93E757BEF042AD05E48EFFF990BDAE948101656E9DD60415A970496389A26B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.581{2EF863A9-9BCE-63CF-EE00-00000000B202}40523652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.461{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4FB7BAA38DF434A37DAA37963C16C8,SHA256=022E354D2085E777B6756689805ABF21276FCD3A3F9A70942C0702DA99D2915B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.461{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DD59D3B813616A2E192A0CB9D3D8D5,SHA256=8A5EDDB98C120E9779F17A460BD587DE599E60F3F0FC2DF6BDACA0E1D899C6DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.854{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.852{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.849{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.845{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.839{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.834{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.832{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.824{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.819{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.816{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.814{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.810{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.779{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.773{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.761{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.754{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.750{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.742{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.731{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.721{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.713{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.702{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.695{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.654{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.652{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000045124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:19.800{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000045123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.109{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F4C0A2C9A912E6E89B40AB80D50DF9,SHA256=46681B5794DD4EB741A77741D2A2232D2D9926C6B258903986CFB641EF319652,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.295{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.086{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:23.585{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A12FA34849640FD3579F6DD169E0AE,SHA256=966EA6438EB9E9B54629FC8D8382D079199FAB8FF36EE55E6EA844DFF7E22CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:20.811{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:23.228{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000045150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:23.160{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9933B6B94A48F13B261E8DC02699A948,SHA256=097934525F136542FBB83DECC5B77C90113F9741EA41DB07BE917BA49308BB64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.647{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9969A3A2F3EBBCE6150E367090D274C1,SHA256=9C14F6CDA3CA8EA3539B73EBB9F36F96E91D39800201E8BCF0DCCC5E650ED40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:24.238{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651EC01F96D9C8976A167B07C0927025,SHA256=1596AB3CE5FF5063272F9F058B0D77481AE2AC36B80AD6349E19EBDD4D4B7405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.522{2EF863A9-9BD0-63CF-F000-00000000B202}38082252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.166{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.159{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.735{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4EB8CFB20285A26F02C7DB07C4DE34,SHA256=80A5B58DF6B865140C128C8D2A07403F3F4890BADBAACF509202581881F94E9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.626{2EF863A9-9BD1-63CF-F100-00000000B202}1083644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.242{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.187{2EF863A9-992B-63CF-1C00-00000000B202}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a783e9299deb56f2\channels\health\respondent-20230124083909-010MD5=1AFBE5C623DD312030DBC0B522348F1B,SHA256=0F8D0E9DDBDC43E9A6E6678369B74D4C31FA056674B43C5D9776F07421F3C22E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.934{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.933{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.921{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.908{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.900{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.892{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.877{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.862{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.830{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.819{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.809{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.803{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.802{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.798{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.794{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.792{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.788{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.787{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.784{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.783{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000045156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.314{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5513C2C79BEB4780CC05A20C6D84F9,SHA256=8CFFE7FB807366BD6EA743E5DDC70F83F764A659D58A7B56C197157641E5770E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.277{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.276{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.150{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.808{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68D21786B1EA22190217FEF1751232D,SHA256=B6B408748EB547947FADB7491C97104F267B5C6D6B56663D081901BD81C83AD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.405{2EF863A9-9BD2-63CF-F200-00000000B202}40484080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.197{2EF863A9-992B-63CF-1C00-00000000B202}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a783e9299deb56f2\channels\health\surveyor-20230124083907-011MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.115{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:26.383{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87DE9448098A9BF2C20866C5F780774,SHA256=B7F898FC8288EF2C8BBBA489D94F0252B60C753F3D7E8CC9A0BF54AC26491FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.867{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F532541D671CF1875E415466ECBC95F,SHA256=BDE94D5E855D096D5B042833CD04D657DBF9ADBDE417533E574DA0CDADF30F4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.743{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.878{DAC7F284-9928-63CF-1600-00000000B102}12961396C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.878{DAC7F284-9928-63CF-1600-00000000B102}12961348C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-99F3-63CF-9D00-00000000B102}3420844C:\Windows\system32\csrss.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.784{DAC7F284-9928-63CF-1400-00000000B102}10682036C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.472{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF40D0F366E0AF69008669FCCEA9DEC6,SHA256=A3CC8BE309621DCAFFBD703F08C1C4B64C10799B0CFD4187D2BDFF0773159EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:28.951{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755B49DA3EBF507397A04C7C24C2A3F7,SHA256=C1407B1C8951152F295671991E47E5F3C9E3938FC9715DA5EA2F6EBB56583F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:28.911{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B929EF2ABFE08040A8E8C33CD56C0056,SHA256=9175506521C0136EDE0523170740A8F1D3E0F2A6292F099F5778506C2F6310CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:28.976{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FBACC4B7BA85A5B15FC5AAE9CA78B41,SHA256=B92CB2FA787F9FC118E42BB8758EE21901C3C14ACD8D505265760DEAED4395A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:28.560{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4383E542CAD05A4432F09F239B11C26,SHA256=6C02A8CC8267093823F23515B1C59B351CC2DAE7895B3920DA3BAB561AAA2B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:26.621{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000045189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.648{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDC7E48C5D48A2FFDC237056F82851D,SHA256=C304F28C88E411BE50D478FA20E63DD241D645F70081BB0E2E25EBF5E7DF7F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:30.043{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16BB4F03691409D569B706669CBD158,SHA256=3C1287BB237F4A85FFE4A6BF3624D6AA486EEF9D5299C405B2A0950C27293C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:30.729{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B7AD13D853DA8109EBC64486E0CA2A,SHA256=F9320A2F05D06A67AD090D227704C1C268ED40AF475430CFF2B62596174BE1EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:31.134{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E42DC300CA5F90915589CB2E4B392E,SHA256=A713736C6205A80CB8AE5C2D382D9BF4E9A1BCC7BA39BF6F9AEE6BE64C812D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:31.817{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCD45078D18623404AA4853BD965ED5,SHA256=7CC7C0F8638E82A0FEFEF4A90D6C43FF18EF5B182F25D3FB1664E75E31419840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:32.890{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3D8B505097F5C259CFD4E0B097654E,SHA256=60A0DF8A83FF5171D44026B4C55C42DEB8A4DECFA56963222EE91DF090241B00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:32.218{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC9E58B1CCC55D903CCCE544EDF5DCE,SHA256=96D115144B8079CD044748E313CF334285C0D07E78806AEDFF8F55108F9776DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:33.294{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CAE3923E2C805EFDDCBF6EB3790CE4,SHA256=D290B2BFF2F76161DC81F1183E2EDF1A733F9B43B6E8E21B3EA425E5C40A8190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.974{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE75140CA3D2D16A79B94C1C99314CE6,SHA256=5241E4413EEB0E4E4452F9C2D7EF7F1764DC084A13BE75CCF5AACEBF62CCCDF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-1600-00000000B102}12961396C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-1600-00000000B102}12961348C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-99F3-63CF-9D00-00000000B102}34202196C:\Windows\system32\csrss.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:31.196{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.882{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.875{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.868{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.852{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.851{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.844{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.843{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.840{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.838{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.836{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.821{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.814{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.805{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.795{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.791{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.772{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.767{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.738{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.704{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.675{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.654{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.626{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.542{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.526{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.497{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.460{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.445{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.434{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.423{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.418{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 23542300x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.375{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D829C8260EA769EA61F31CB496225376,SHA256=6C816709D1E42199EC9FAA2298D59F38285709B7B4586A2BEA83443A0C1E711D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:32.659{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.623{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8B281F490245371E730A2C649F2587,SHA256=0CE1CAA1B2F733B252A0C09F4558CD21CC544C1B4BD5AC55F6674BB67442958D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.140{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:35.935{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88639C2C8F87D124176121920415AA50,SHA256=DE3D15EE904F80E6D1E6354A0B6DB660294F7B96E9FC78687EB1ED0648BEC118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.907{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.906{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.906{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.427{DAC7F284-9BDB-63CF-2B01-00000000B102}57602564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9926-63CF-0500-00000000B102}396412C:\Windows\system32\csrss.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.261{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.073{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15622578A9B7D25E054D6C150453FE71,SHA256=94A5221437A837EC169CA9394C91BD7624E617BB769F2E9025B4D9C8E6F62826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.137{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235E111E9F631FC49F758688FB826281,SHA256=670D934C5ED8261977F83889562DD98D87702D3188C1973ACCF283545EC57AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9926-63CF-0500-00000000B102}396412C:\Windows\system32\csrss.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:37.081{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7DBBACDE4094490304ECA002F49860,SHA256=3D56851301BB7573F23326616D1A1DBFD87BD3997CCBC9C52F2CD811D0FADE05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.568{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local60730-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.568{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local60730-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local389ldap 10341000x800000000000000045245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.379{DAC7F284-9BDD-63CF-2D01-00000000B102}55643196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.223{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC26EA2B5C66DFA7FC54C7102E2D04,SHA256=9F7FE5575C6A29D40C4DBC2AB46C46D682A4DD6EB5792AE4A2D3FD912C8B147C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:38.166{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA09B81E4145151404E5627322A8EF73,SHA256=84E1440D0AAD633A681D00627C8D7DAC7380A7BA5652ED5CC34C10EEA61D2892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.473{DAC7F284-9BDE-63CF-2E01-00000000B102}41002856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.317{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF5D014805C2E64FB27F9604D4DAB3A,SHA256=4207DDA9748A72ADBBCE24881215F392A9877694DFE7495AE9531DA14CC3AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.286{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:37.206{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:39.245{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFBE08B1C0245ADAC3B336A57F7A655,SHA256=CA5AAA57BB1F260E4918D6ED917659B6752E90E1E914F06F32B10399DB71A5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:39.405{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFCC3C8E83B5D140BC1A1ED1D664DA2,SHA256=4BCC3BA5C2C964BA06139AC2C91CE35C7C63C4EC47F38AB9ABF285F335C7E31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:40.332{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8E88A48F6EF16912FE85BDFC5601E3,SHA256=21754A35CF996ADFBDB2AC9D6B292B3135F0DBEF66479C67CAB786DA834067FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:40.495{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9F4A265CD24D0F557D1DC5600B615A,SHA256=E78BF92BD2719AE33C724EFA0C5CBECE5E0004638A0FDF23859AFDB89B89DF33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:41.433{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF2ACC67F526757E1A45C940A468DD9,SHA256=E99B5181D5964632F60696ADCFF5B141A6E85BC6C935CCEEA93EC3A120885A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.944{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.632{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.646{DAC7F284-9BE1-63CF-2F01-00000000B102}57524968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.584{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C66483438BA08650BC25BD03491708,SHA256=00E1FE4CD8664098BFC33764179B4086779D5D020FA583B77A1A1BD0E06F9EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.444{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:42.522{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7BA94AE34D05F226D139A08CD2CAAA,SHA256=9D741CF8AECE95F759F8E4907E6C5C655484D44645A9285E22FF9FD6D8462E7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.883{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.880{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.877{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.875{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.870{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.864{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.863{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.855{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.850{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.847{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.846{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.844{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.815{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.809{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.795{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.787{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.781{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.773{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.761{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.747{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.727{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.718{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.710{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.672{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000045281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.671{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ED529AA7E86C4C84A52B5752100050,SHA256=0EC21FAFD183C21B94017D93ACBAE38318CB97BD979ECE15568A3B59BBD8B316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.667{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.562{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA95BF21D7681680778F29BD20677B63,SHA256=64720FBE1487737F18982674B9A599DFA14B240413D7CCF5A35A3A3CCCABEC32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:43.599{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB40ECAA361E187485B5BD68D26247D4,SHA256=4D433EA6741AEB53E9F48053B2399149DE19E0A4E765DE98C433E9A60BB473C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:43.711{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F5FE8B3D2E4C7D1E8EE74383B08F51,SHA256=FD21A84F2B809CC509B5A11929C9A7A97E3A440B18760B2DDBDA3151EC52424C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:43.214{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:44.673{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF93356956FEB875A1A86AF9AD5B7D,SHA256=072D9F6A92B785316C96E0E8387596FE258F8DD43BAAC846B0537A763ECC67C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:44.798{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6676370FFD5C0AB22D48131621B8D93A,SHA256=447CEEFF9821402A620E96CFD15E7F88D0512AF1C6BB0C1C1B2173CD9D7B11FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:45.767{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEFD143CE4B5B10127E11CF0878D61E,SHA256=6CBD05050CAD8F0B2C95A4CCB38D44C97AA097BBD50D5A81ADCB4CADEA66E88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.903{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.903{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.893{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.883{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.875{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.868{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.864{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC042B6F595ACC0D23C6DE2C00F830FA,SHA256=C4A0F66C438D7C9F5B216C93A1B894A8A661D4107A1CFDEDBD5B7F1EB3EAD2FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.857{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.847{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.816{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.807{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 354300x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:43.202{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49835