23542300x800000000000000015024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3F47CEB9DAECE5FA8A5030252E6068,SHA256=A12628CDDB34A8242DA4468C81F8DC6739988DF70C47C85329EC218075A09655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.545{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306A728D3D26CA9E06ED1E33D097FED3,SHA256=63B4DEBDE5E21DDA2F6D6F61417E1788F49D262134085687210D8285590A13AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:33.132{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56209-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000015026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:37.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72062EB147CD477A1D52B50BDABE603,SHA256=AE85C687F701DEB193A1724C14F08B340CF01ED1384B5FB22CD0C120E466BF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.637{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3E1A54412FEC8573DA731C61E7F04,SHA256=E2553B6702B56A899B59CF43D1D8D8D82074A0444C9CFEE6A99CA5D7DEED4EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.605{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8B8F350CDEC7DFB24F3098103A671F,SHA256=8F7CC2BB36AC6DBE3AC8F1F6E8327EB0327253308751D4B720E5A641C09347F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.572{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe 354300x800000000000000015025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.033{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50032-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.544{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=EF0129B3C545A4CD7B698E433D1F8D09,SHA256=02BAF19A4DB2E4A06170CD7A7CA206BBAA503346040E40578BA7F3AD4E873DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.409{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=7C6B6BC154BB430946EE8FB7451904FE,SHA256=5376B44DF0563BD96E3761840EC238A6BA0605698BF15D65231A35F91A81BF37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:35.518{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56210-false10.0.1.12-8000- 23542300x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.362{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8A08A55AEEF1BFB4B7EBAA918EAC675E,SHA256=1CC28EDA3A690723C012FF18675FEFA4967E8F186A85737111A3983102592E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.236{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.209{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.194{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.191{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.190{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.135{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.128{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe9.0.0.505---CountInstalltion.EXE"C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FAD{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPSConversion\FriendlyNamePSConversion 13241300x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginImanage10\FriendlyNameiManage 10 Integration 13241300x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitArchiveConnector\FriendlyNameAlfresco 13241300x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDMSforLegal\FriendlyNameDMSforLegal Integration 13241300x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareFile\FriendlyNameShareFile Integration 13241300x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSuite\FriendlyNameContentSuite Integration 13241300x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWorldox\FriendlyNameWorldox Integration 13241300x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEgnytePlugin\FriendlyNameEgnytePlugin 13241300x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocumentum\FriendlyNameDocumentum Integration 13241300x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\ACPPlugin\FriendlyNameACPPlugin 13241300x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\AmanoTimeStamp\FriendlyNameAmanoTimeStamp 13241300x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOpenText\FriendlyNameOpenText Integration 13241300x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSyndication\FriendlyNameFoxitInnerPluginContentSyndication 13241300x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNdOffice\FriendlyNameNdOffice 13241300x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginiManageWork\FriendlyNameiManage 9 Integration 13241300x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSubscribe\FriendlyNameFoxitInnerPluginSubscribe 13241300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLicenseManager\FriendlyNameFoxitInnerPluginLicenseManager 13241300x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitDrive\FriendlyNameFoxitInnerPluginFoxitDrive 13241300x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBrowser\FriendlyNameFoxitInnerPluginBrowser 13241300x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDF\FriendlyNameFoxitInnerPluginConnectedPDF 13241300x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitAccountManagement\FriendlyNameFoxitInnerPluginFoxitAccountManagement 13241300x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDFDRM\FriendlyNameConnectedPDF DRM 13241300x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOFDViewer\FriendlyNameFoxitOFDViewer 13241300x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginActionWizard\FriendlyNameActionWizard 13241300x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBoxPlugin\FriendlyNameBoxPlugin 13241300x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDropboxPlugin\FriendlyNameDropboxPlugin 13241300x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginGoogleDrive\FriendlyNameGoogleDrive 13241300x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDriveForBusiness\FriendlyNameOneDriveForBusiness 13241300x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDrive\FriendlyNameOneDrive 13241300x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerMetaDataHandling\FriendlyNameFoxitInnerMetaDataHandling 13241300x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\CusIntelRMSPlg\FriendlyNameCusIntelRMSPlg 13241300x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareReview\FriendlyNameShareReview 13241300x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginReadOutLoud\FriendlyNameSpeech 13241300x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCPDFOCLink\FriendlyNameFoxitInnerPluginCPDFOCLink 13241300x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginTouchup\FriendlyNameEdit Text 13241300x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageEditor\FriendlyNameEdit Object 13241300x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginIntegrateWithSP\FriendlyNameIntegrateWithSP 13241300x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWip\FriendlyNameWIP 13241300x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitRMS_V2\FriendlyNameFoxitRMS_V2 13241300x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FileOpen\FriendlyNameFileOpen 13241300x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocuSign\FriendlyNameDocuSign 13241300x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginComparePDF\FriendlyNameComparePDF 13241300x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCommentsSummary\FriendlyNameCommentsSummary 13241300x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPlgDynLoader\FriendlyNamePlgDynLoader 13241300x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitUpdater\FriendlyNameFoxitUpdater 13241300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCalculator\FriendlyNameAccounting Calculator 10341000x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5510|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e6401|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e64c1|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9816|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60d60|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+45cfd|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60eb0 154100x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.764{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe12.1.0.15250Foxit PDF Reader 12.1Foxit PDF ReaderFoxit Software Inc.FoxitPDFReader.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=1132BC30E14F785DC94B0968B316920E,SHA256=A8A2AC478388A25808F3AA578B7F62767F0CEE3B35D6C82422EAA3A5AD4050B8,IMPHASH=A6A5EE4AEE40744E22C729923B18481F{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.967{00000000-0000-0000-0000-000000000000}4560cws.connectedpdf.com0type: 5 cws-site-1191008954.us-east-1.elb.amazonaws.com;::ffff:34.236.114.25;::ffff:34.226.74.2;<unknown process> 22542200x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.803{00000000-0000-0000-0000-000000000000}6408globe-pis.foxitservice.com0type: 5 k8s-clientac-clientac-1bea27c063-867794477.us-east-1.elb.amazonaws.com;::ffff:54.162.170.221;::ffff:54.236.68.254;::ffff:52.87.5.71;<unknown process> 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.595{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DB58ADD3315E28AC3483AEB017076C,SHA256=B348D29ACD3FDAE3778A451A71406EE97DE542659D90DB49E9AF343F985E1035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-037MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.715{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50269- 23542300x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.162{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=240090DD77299EA2189985BF52B7CD70,SHA256=86BAD4C9C87B852AD623294BF8A4D5707D9B1F2123D15EB91D7A347E2DEACAE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.825{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C2565BA7D259D4A8C956859650D0F0,SHA256=FA7BDBD7F1B7592816E3C2DA8747B27234E27C26FE926E71887CA94F39803F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:39.076{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFF9A4D70A38044B7D7D0F2A91B928,SHA256=10048C1C3DFA67D732EA43295F6CA806FCD268E7679D4351897759AE005FB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.400{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe 354300x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.970{00000000-0000-0000-0000-000000000000}4560<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56213-false34.236.114.25ec2-34-236-114-25.compute-1.amazonaws.com443https 354300x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.953{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60684- 354300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.907{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56212-false192.124.249.36cloudproxy10036.sucuri.net80http 354300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.893{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61105- 354300x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.808{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56211-false54.162.170.221ec2-54-162-170-221.compute-1.amazonaws.com443https 354300x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.740{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50269- 23542300x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.381{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpMD5=C2468392C1A47E60B40C378318CA142F,SHA256=A20A0540CC72D9EEEAFD60680D5A75C56EEEB6483BE995044DF7FECDFEF30CC1,IMPHASH=F62B90E31ECA404F228FCF7068B00F31truefalse - insufficient disk space 534500x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp 23542300x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\_isetup\_setup64.tmpMD5=E4211D6D009757C078A9FAC7FF4F03D4,SHA256=388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95,IMPHASH=F672CB51B1362B8101CC947887B02F34truefalse - insufficient disk space 23542300x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.350{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\FXCUSTOM.dllMD5=ACBE87ED13E8A2448D4E47AEA9923958,SHA256=CA843F1F5F4CB38A945C9865CC5C17F287480C1123C5F6B0D5985472A94B77AE,IMPHASH=EF29A0B6FB2AA8EC42138938AE12510Atruefalse - insufficient disk space 23542300x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\error.bmpMD5=C5501CB29AFC1204C0D363D3B292C409,SHA256=EBEECE634EF25DC5678681F81345683FF9103F7E5F085CEEE1424E50AD8EC537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exeMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FADtruefalse - insufficient disk space 10341000x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.062{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913C6FCFD77FC58D71A01CF381B8BAF0,SHA256=D514E71D605AAE420F39D67EC1506B770E052105C653DCB12CEBE9235C24040A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginInkSign\FriendlyNameInk Sign 13241300x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSmartRedact\FriendlyNameFoxitSmartRedact 13241300x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageformat\FriendlyNamePageFormat 13241300x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPDFOptimizer\FriendlyNamePDFOptimizer 13241300x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPortfolio\FriendlyNamePortfolio 13241300x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocProcess\FriendlyNameDocProcess 13241300x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageOrganizer\FriendlyNamePageOrganizer 13241300x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSign\FriendlyNameFoxit Sign 13241300x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXExport\FriendlyNameFXExport 13241300x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCReview\FriendlyNamecReview 13241300x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCrossReferenceLinks\FriendlyNameCrossReferenceLinks 13241300x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSignature\FriendlyNameSignature 13241300x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOCRRecognition\FriendlyNameOCRRecognition 13241300x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginRuler\FriendlyNameRuler 13241300x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLayerPanelTool\FriendlyNameLayerPanelTool 13241300x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNamedPosition\FriendlyNameNamedPosition 13241300x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEmail\FriendlyNameEmail 13241300x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSecurity\FriendlyNameSecurity 13241300x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLoupeTool\FriendlyNameLoupeTool 13241300x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\MarkanyDRM\FriendlyNameMarkanyDRM 13241300x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FasooDRM\FriendlyNameFasooDRM 13241300x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.931{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginU3DBrowser\FriendlyNameU3DBrowser 13241300x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginAIPLabel\FriendlyNameAIPLabel Integration 13241300x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXTranslator\FriendlyNameFoxitInnerPluginFXTranslator 13241300x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitTool\FriendlyNameFoxitInnerPluginFoxitTool 13241300x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginMenuBall\FriendlyNameMenuBall 23542300x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.926{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1DEF2661F8985D774AA6412B4070EB,SHA256=C4C403BD3CF09189471017AACB16FA8F9056B14C381FD731A52B3B96A6E5CC5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:40.169{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2416FB7436589C2F247567DD56B932A,SHA256=8F5B7ADDDF84607961E00F03BD1C0E3701D7737DD532204FC7544911F93118F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.150{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 23542300x800000000000000015029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:41.262{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DFFE98A62FBBF712A5AE1F2D6AE151,SHA256=2BDB4A78F2C74833F76C334DA7EB4A2CFB246B59A8333460967E206B2672B75F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+130450(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Start\en-US\history\history.jsonMD5=C515A6B2834FD60FCC8A39BEC43AA234,SHA256=D3944D967B207D69414BA10D17309B1BA04515E36D3DA5655F9A7B469C029391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49251- 354300x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63759- 10341000x800000000000000015061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.692{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.652{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.629{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.617{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.580{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.568{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.548{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.376{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0395EA6AF4C0D7699F4E1DF75744508,SHA256=3D52A8C3438EF16E63CBFD38E716B151D586AED30532DA6473EF6127880E5D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:42.051{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6485705928237E656082113FC8BF9B27,SHA256=CC64B214B89216A67578B139EA0CE9D0F1F0192363E6055F69EC5D4DB9BA3060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:43.899{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD55CE03C32BC053E61BBE55408B68,SHA256=1497D8B18D95297DC620EC41B89199FF21C297DFF00C0BF509544F01C95E99CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.003{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56214-false10.0.1.12-8000- 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.068{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED46E5C6EEB4D07CE9EEE3477FA64C6,SHA256=CD33B309DFBE00BA2B0AA2861FBFFC3B3CE1D6222D571257DACEDE1191110427,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:44.932{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BF70CCFE018A3FCBAEBFFEE8A2DF70,SHA256=6DBC50D1AFB025C17B7446CA6A73DF31B82B7A73B91E7D41B68D055F90D5840F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.957{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exeC:\Users\ADMINI~1\AppData\Local\Temp\%%%11A4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.615{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=657835BC7C6159BEF57CFF59F6BB4523,SHA256=A542CDCEB06EEA89A94F03C926815AE53F6DA8704215EB033E8C7BCB1124689E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.459{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-E326-63C7-F905-00000000AF02}32606896C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.396{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe" -updater -type "Auto Updater" -hwnd 66498 -bnoshowtip -readerpath "C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\" -regpath "HKEY_CURRENT_USER\Software\Foxit Software\Foxit PDF Reader 12.0" -version "12.1.0.15250" -readerlang "en-US" -UpdateMode "1"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.386{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localEXE2023-01-18 12:16:44.331{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe2023-01-18 12:16:44.331 23542300x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.179{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD3444983C7F4E69301D0643DD9F2B3,SHA256=FB88EC6B06680229BA53F62D3F13F8091040D64250C7978189605F495FBF9B0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204E80A2F4588750C3A4F43FB8790212,SHA256=477F0DAFEFB2B010B51345DA7A18494353952D03124B8A6ADF8A91F5F635C110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA13304AAEB72731B29B2B6F5305CD37,SHA256=78C30DB9D5789F8232BC8D2CB5FE16A5EBA25AC1F590E9387149A2C1402A703D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.145{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64489- 354300x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.112{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64489- 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.613{FE4C2B44-E32D-63C7-FC05-00000000AF02}18441944C:\Windows\system32\conhost.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.521{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.496{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.495{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.494{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=BC27F57079DF8BF901D14291DC1B5CA2,SHA256=656C2679AD2E766A183D3FA74A796738348CB2B1C7F26822CA70EB0772E329FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+121c68|C:\Program Files\Mozilla Firefox\xul.dll+164f8d3|UNKNOWN(00000295DAA44B31) 154100x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.487{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1052e587-2eb3-4423-ae75-ebf8abca3a74/new-profile/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74 https://incoming.telemetry.mozilla.org/submit/telemetry/6f9e4b5a-cf53-4959-9c07-f023402ce9d4/event/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4 https://incoming.telemetry.mozilla.org/submit/telemetry/427643f4-4c37-40cb-b3ae-60b8792f9915/first-shutdown/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.484{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\aborted-session-pingMD5=56B91462F2DB1F0F3D753EDC179A8C11,SHA256=2283E17F2D8E031B2AE7ABB3900AF608BEEE8AABC17461A3B00370E3433BDEAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.398{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=071DA4A1729E7358276A3DD62A6D25B1,SHA256=A7C28E83F54C3AAC734158A45673484ECE0D72CBB2DF784B2588EBFEAAB0CEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.390{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=E06099DCEC9B3E656C52155D4F3C66F7,SHA256=4C17982EEAE0900151AFFEE836BA940E111F3F183466B8929427C8A488A1BF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.389{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D05CC57C001183075518A5E84D8C9459,SHA256=0BEC7DCACA9D36AE4A6ED7F7E7C0E7AE106B671AD392B870C25EE56627AC33F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.386{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.382{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-walMD5=A23787F00DB7FC0C15A54D8B68E69813,SHA256=9F1FCB43D403CAC53DF7AFB090771B95B5591E9E9E1441F774A4B172215D0462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.377{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=A76E2589039D24D9DC7FD862251DF429,SHA256=2ACA5EA4BD71CF8F3AA136F38510F547D51B2D27DC1F03ECE1C7B811FD565B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.370{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-walMD5=7F4B8CCCC5A28912620B8B7B99E2ED46,SHA256=731FDFE4DFB4F1C1D02545C8F0A736AD9E903469F5FDE805171B8702B195B203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.352{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-shmMD5=412F4E3C029A26346BF5027944CA1587,SHA256=A9087D7CB798FF00D8FC6E2672B7961D67B8876FDEEE5FD1A3635AE17DEA2F59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.345{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-walMD5=E6A2990F646213CBD61A5E27D355BAE4,SHA256=A221C803DD6EBDCBEC50B46B8158F2FCC6200D633213350532E692ADFED87AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.322{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-shmMD5=5D0FAE2D151B96F9939D868185F2A75C,SHA256=F908D8E6791B2DC7614379E6E35B7B90DBF72158FA46DF17B96BFE0F54684C11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.292{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AB-63C7-D205-00000000AF02}3104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAA9A18D) 23542300x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AA-63C7-D105-00000000AF02}1484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E292-63C7-C905-00000000AF02}1888C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.289{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F4-63C7-9D05-00000000AF02}7156C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 23542300x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.286{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.277{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=F3B2EAAA57083687AEB76A9707BD9287,SHA256=24C809E046728BF50604CB550F963C2434B387ECCDAA9A8ED2CDD539263C9406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.jsonlz4MD5=692E62AD3DCDE6ED553BD7CF7CDB762F,SHA256=E4D82CE85AC552151851353F62D2B6818F7DEA89452B2ECAA00B801CE0BCA78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.baklz4MD5=F4E8580C1E1A856E30384B5A8005CC6E,SHA256=6376F91E3C602B980CB7A2FED721C5A892A31588B98EC6F3084FA6022C13DD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.203{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E27B-63C7-C605-00000000AF02}6772C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E269-63C7-BF05-00000000AF02}6172C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAB639FC) 23542300x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=8DC12A38B7D5302A1E05EA9FD1267650,SHA256=37CFA0589B01ECE0E52E9B96ACFB8F2DF7D72F0163AB1215C8C05F90BC5C23E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=69433D4F64EBC4408D3CB52A96D9287B,SHA256=30ABBF26C4C08E9933BA0A62F9F15D0314754D68578D28599D62D61E27DB6081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFE2FDA8)|UNKNOWN(FFFFF3D9DFE2C7B5)|UNKNOWN(FFFFF3D9DFE15879)|UNKNOWN(FFFFF3D9DFE225B0)|UNKNOWN(FFFFF3D9DFE22189)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+1b84 10341000x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFE2CDE7)|UNKNOWN(FFFFF3D9DFE15779)|UNKNOWN(FFFFF3D9DFE153FB)|UNKNOWN(FFFFF3D9DFEBAE9F)|UNKNOWN(FFFFF3D9DFEAFD49)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.015{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe 10341000x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E56FCF010BFB73280BF96B94857417,SHA256=96BB67FAE7608EBA392F39C6AA83E8025320166AC15AC28B01558016E1E30DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.186{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220us-request.foxitservice.com0::ffff:64.62.208.12;<unknown process> 354300x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.699{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62874- 23542300x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.395{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915MD5=0102517284EF240C23C26CE76999DA5C,SHA256=A53425A276932C052B8E4E435D612881D86694A147D599A171262E7E054499D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.228{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4MD5=A745BE3F65570C038DF524725DA79080,SHA256=BC9D1ABF37289E7184186EE7AA688DE5793C39556EB62E8821D5C3FCEA9C6318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:46.014{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B443884409A662EEDC2FCDB314D766E4,SHA256=A12C00D8A4AA41136AFCFB7F25AC03DE9C88DF6A55865C69DEFB605FA80BA8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.118{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74MD5=8AB2EC9F1AF52D43342D7204BCDF4A67,SHA256=8836BAA0EC258A0F2BD5787ACCBB50F9DD69C66EF2064CD5411339D471161228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:47.279{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B4295D6BDC147BABF803696766A0EB,SHA256=1CE65D7B1B29425EED249ACB8BD25B388B06FFD79D1208A97E96B65DA763F4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.109{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DE5CF458575E5CF27CFB1C3F5BFB5,SHA256=9F9AF28AB69EB17A5386DD1147008B065B278CD3932139FCE4CBEE8EB94F7D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.236{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220<unknown process>ATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56215-false64.62.208.12-443https 354300x800000000000000015068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.036{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50034-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:48.208{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28F2041E168C4593A826C70FF3F132,SHA256=17FC4599B128885D5CD976D3385BD5D1557AF10B7B7D2C0DA0ED0964A711C7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.749{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64912- 354300x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.702{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56217-false10.0.1.12-8000- 354300x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.477{00000000-0000-0000-0000-000000000000}6996<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56216-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.358{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CA3E34E48BAF6E8852FAEF27945A1,SHA256=173A4E9949F2C75E47313A7F03EE36C197269DC906E85D8C33AC8830D650A3E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.136{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:49.302{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D250D78BAA5CB8435361473018D6E56F,SHA256=29FB46D82ABC2B926ACE32C75C1AA16C2910E2A3F6D776D1BE460602F164238E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.774{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64912- 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:49.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E5E7B5DE2638D2E144BD916E5E10F5,SHA256=0DD598EE3190F3AED92ACC24079834609E2A3F8C2F20F4052FF5DE374E0BA00D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:50.397{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A199904295C893A775DF2892203E91,SHA256=49F14927DDFFC58F0435FE0E8E4AA1E9B751AC55EF51ACD84CDB937AE427199A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000015071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:51.481{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06056057B221E517425E0F19C798B9A4,SHA256=0B56C386EC66AF90B8879BA2170BF5F1A994E09419623373F5EEB3162B4CCBD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.928{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.927{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.822{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-E333-63C7-FF05-00000000AF02}61883596C:\Windows\system32\conhost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.612{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66D76EF7A91D7525F87EBD735AB210,SHA256=A17F6DC9BC4F32187B5509FD11CBD4BCCDFFF6DCCB24410A7B375F781A21B2A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.866{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56218-false184.105.214.144-443https 354300x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.802{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60488- 23542300x800000000000000015072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.563{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1FC3F3DBFF72F56850E40D3C279D12,SHA256=F5055CA9080C032428328F60CB77FCE5C3C0EF51A88C77E9325F5DA557847542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.815{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5F9AAE3D2132666B32EF4A6D1B0CD,SHA256=FF68F73E404A797066C0752DC7B506B39DD0E20DDC48D2F23FDD2970E0B69105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.814{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51072CAC7837CF5EB024D57013DACECD,SHA256=DF9D3E8206ED497B8D3252F4DC038B0E15FB6775A57666C11385434EC69D3858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\BinProductVersion0.0.0.0 13241300x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LinkDate04/06/2016 14:39:05 13241300x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\Publisher(Empty) 13241300x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\unins000.exe 13241300x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\BinProductVersion12.0.0.12354 13241300x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LinkDate05/20/2022 14:55:49 13241300x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\Publisherfoxit software inc. 13241300x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\trackreview.exe 13241300x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\BinProductVersion12.0.0.1203 13241300x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LinkDate05/20/2022 15:07:56 13241300x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\Publisherfoxit corporation 13241300x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\sendcrashreport.exe 13241300x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\BinProductVersion(Empty) 13241300x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LinkDate05/11/2022 10:00:58 13241300x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\Publisher(Empty) 13241300x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\plugins\pdf3d\od3dpdfconvertor.exe 13241300x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\BinProductVersion12.1.0.15192 13241300x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LinkDate11/28/2022 06:56:16 13241300x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\Publisherfoxit corporation 13241300x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitupdater.exe 13241300x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\BinProductVersion12.1.0.902 13241300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LinkDate11/28/2022 10:04:13 13241300x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\Publisherfoxit corporation 13241300x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\shell extensions\foxitpreviewhost.exe 13241300x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\BinProductVersion1.0.0.1 13241300x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LinkDate05/20/2022 15:12:12 13241300x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\Publisherfoxit software inc. 13241300x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreaderupdateservice.exe 13241300x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\BinProductVersion12.1.0.15250 13241300x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LinkDate12/05/2022 10:40:21 13241300x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\Publisherfoxit software inc. 13241300x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreader.exe 13241300x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\BinProductVersion12.1.0.0 13241300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LinkDate11/24/2022 09:06:20 13241300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\Publisherfoxit software inc. 13241300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfcef.exe 13241300x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\BinProductVersion1.0.8.1228 13241300x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LinkDate05/20/2022 15:01:43 13241300x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\Publisherfoxit software inc. 13241300x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\64bitmailagent.exe 13241300x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplication\000051e80f0bed177961040f6171bd1efa830000ffff\PublisherFoxit Software Inc. 10341000x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.385{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.382{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 22542200x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.816{FE4C2B44-E326-63C7-F905-00000000AF02}3260startpage.foxitsoftware.com0::ffff:184.105.214.144;::ffff:184.105.214.143;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 354300x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.706{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56219-false10.0.1.12-8000- 10341000x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.300{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000015073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:53.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6A3A665246A2669E7F4B68720082DC,SHA256=A86E7938841DF6942EFA9F1534A6D335E10C31BD44D4002535C587494874B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:53.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B3F853EB908C3187DAC594B70A5453,SHA256=76CE746E5F37D2C6649AA5F354C3F441DC896D3C51376E8A852C342C5E5E4A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:54.745{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21FF24D8131016F4216D554647750A9,SHA256=5F718D60E6DB785DBC7E6A408D4CDE9450ADF6B2DABB516FC34B486320706623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.980{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.979{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.978{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.977{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.976{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.975{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.974{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.966{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000015074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.043{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50035-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.909{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.818{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=258FD40AB29D7BD8E104D606EA216AD9,SHA256=504E0D0E090A0B6F07B0A723136B8AEF9F01AA22CFE9E01E91EFE79A68F1538D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BB31CA60CF13AB52C2B01A783CD692E5,SHA256=028C27FB4CB230728191CC6724BAA0A23113308544F8FACBB78D38FCDF5C120E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.364{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.172{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:55.858{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACD18CBA13F7AA0D0086C8F5577C64A,SHA256=3E9B8E2EF44196CBA08949C933800F5355EFFC775C19F730A886EF1D2C6A981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.128{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.050{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.034{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:56.953{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C19CA7BD7D2FA375776369610623E4,SHA256=8C8514832B60CC29E4BB761CEA22A24DE7F09C9A69189AC12CE90FCB98BB56A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.003{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305C3160AFCD3BE36A40CDE08A0900F4,SHA256=E1D7C975F6CA1C30E4EF9B8F2ACCD3A57DE7CFAFA9BB0D51181F2CEF1936871C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:57.086{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D213408D3709DA990C99D0E40D068F,SHA256=61977A472845966220B5EAA5327B7C4C340EF90290AD6B2ADC774B5D5A6AC3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.654{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56221-false10.0.1.12-8000- 23542300x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:58.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FD09DFFA991E4618DE4C8AA7720376,SHA256=EFEC4FCCFC53760D7EF1CC18C2A0DB7F383637F78C27EBC0385D9DC6CAE80B6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:58.047{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C87870F15179A1FBF9F996BD1DCDD5D,SHA256=C78E533EA965AF9D9F87DDDE5F62E2B220B2AA65F989A1C851AF1DFF1A10099C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:59.258{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A27B01869B925E80433C2DA9F2D674,SHA256=44FB13D16B1B65CD9CABADE99D8A543F6D3FC90BBD0981B148264C3D9B0DA217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:57.974{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:59.144{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E836AA4898C4291340EAB74D3921A5,SHA256=14391891117D71323304EB611DF43214846E8B3CC82C326694C05A72021E9CF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.426{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C6EB18D154C15A9ED0650867DAC06EB2,SHA256=1E444FD06C160D57253A0AC6D72AD20932FCA663D0C2240731F403C944F7A23E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.332{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34598DFD6D481F3D0B68D8A628C88FB,SHA256=8C19C07816D894A6F6F88F8A6A5C898829EFDE80522E02E5346D27E18D9CC74A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.934{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2AD7889BB42D940CE29348848EA97A9F,SHA256=5DAE8CDA0FC55A83CF9F652D8897B07BDBECCE04F9C5469CF42F5D50BF8E4FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.224{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E208B5344057493C5D6F2951FEB1A259,SHA256=3A2922BBB1268310397FB0B87B44D17FDF356ACD5F01F685651F8508BD7F303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.783{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BBC4FB0EF380D1FC2C893A40A08568,SHA256=317F64AB78ED67A7CE803A1CA5A2B19B3AD030477B3CFF1A1EFCC8E4BA2E0285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.401{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5DEFC9D22F0CAE64193DBB54D30BECBA,SHA256=F357A07A8C873A10062DC9D43FCD3998EB67BAAB0F7C4CA1D3EE90CE47A7F655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=FA72170AA2DDBEF80E2E6565EB4401C1,SHA256=3385FADBDF5CB928EB7049B54A865D5DB3695E98914FFE9BF4FDE9EA6D039A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AEDB57ABDC32AD7869684E162401FEE7,SHA256=4B3CE250F83984DB09E8995E601159ED97F31F2062A32644AA021B2D06A2CDF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.370{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2B1FF1B61139A3BCE42A6FB0326558A1,SHA256=0ADA21EE6F5155BD00820959A82030814D7C472D00689D9E20B9BEB4C8FE03DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.831{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-028MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.309{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E4DF8F0A4A6CDF93B3E3F45EDCA1E7,SHA256=4995279B9A857221457B0275ED5E5EE9DF37D1AB51B17EC44BF7147126A56116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D3C30A1BF2CFDB5EC6D2940125B16C0F,SHA256=9E05FB7BE9E00C74D38273AA8748AD6E78B2999626D5A79A4D704365270A22AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=C70088275245A7C3D68E85B6BAF8A41B,SHA256=BCA4727E5B0CDBB8DE78CB3138D15D5BBCBFECD83D8E01AFFB3790B6FB76563E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.260{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5A74691BB2D63F99E2613172A6752D7C,SHA256=C10BD055921B31D7678E10BE917609EDA9FD5095F13F0F1D885F94764971A875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.780{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63763- 23542300x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A729AE8E2EBC87DE697B5D231EC826B,SHA256=2CDFB477138CB97662EAB699F03AA4497A6A009F90A3395F43791A215F963C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.833{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.741{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.717{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.708{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.705{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.672{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.663{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.641{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.597{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.588{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.570{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.560{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.539{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000015085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.373{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64E18057F2F44853E4C4A5FD0CE0900,SHA256=31D036074A83E85ADA061E51B3614C01A9450F5844ADB5D7BC096465D07C6AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.951{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.701{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D1C1340B5CB08C7982EB40B7FC8175,SHA256=286D53C6A8FB059EF3C273125D638DB668AC39F8096A20AE08D58CF7C427B793,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:03.634{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:03.568{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BABED665C643A44EC461DF128DE0166,SHA256=C3DADB8797D9007F5C52B90F06143272EF67AF67E0DAA37E9A98E82B8E2A7F1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.899{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56223-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net80http 354300x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.798{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56222-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net443https 22542200x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.808{FE4C2B44-E326-63C7-F905-00000000AF02}3260ad.foxitsoftware.com0type: 5 d3p6bpyaguxd3a.cloudfront.net;::ffff:108.156.184.126;::ffff:108.156.184.54;::ffff:108.156.184.78;::ffff:108.156.184.105;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 23542300x800000000000000015120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:04.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D28A4F18A69692F26948C79671E46D6,SHA256=6940C05E53E39FEC6AA0C804C79CD1E0ACB1B87CAC9E2115B940EE854D56145B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.878{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3284BC6935A63B6531C15860AE1D2125,SHA256=F40C17FB511D18DEDCA8802045074E9A1C338592430CAFAEFBB53C122AB2C417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.651{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56224-false10.0.1.12-8000- 23542300x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:05.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325BF570CAD2C19627AA9EE86E53DD5A,SHA256=5BB66EA7CAA0A968BFC62F7A9DAC8E734D1A2289AB14BE364A8A97B899649324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.815{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50037-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.902{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51264- 23542300x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:06.778{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A042C2BAD150D48AAABA64B41E3D4B12,SHA256=CD3B979493B83503D186811D5CF4F40B3BA2322A20DB874F46FB5413D204E8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.910{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50038-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:06.083{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69033AE79DB51F53610CF7DF9FE7A205,SHA256=C6549623FB2A64808846454567D268EC6C6F1D02797DF2F06C7BD56AE4860C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:07.858{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FE78951806FA86F6A7D05C1297CD87,SHA256=71B7F25BD221C3195120E0A61749D326C94E7FF370E36363120B305827E67DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:07.173{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FFE98038EFC7B1D086D7E4799005FF,SHA256=0142E641F889711D6602A826F0BF84E1EF5AA101D609698A8BFCDEFB20FC8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.953{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A1C9A9C9BC0DC96D660D54ED2BB363,SHA256=F8F82CDB15F2E1496E1E66C95E290B7DA7F2F2DD945B742C62965ABE7FD223CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6F39EDED31F95CE551C899CEB0BB7E,SHA256=6D9A6A12896C2759552DEA4E1B2A88A47987A1C956B6FBE9FEE3B827298C6687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:09.349{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5A915FC1188C1EF06FBA6D6A9468CE,SHA256=77E7A8021854878A1C8DCF57F6FBB5C0E322B12B857795DC99A87292CDB1B0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:10.437{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D0272872E4510F421BF4ADC8DC607,SHA256=8E04E80163C166E950DD6CD63DFE80B324F8D7416638CBC7D1500733276590A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.638{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56225-false10.0.1.12-8000- 23542300x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:10.021{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7D910B94DF1D0FAD2239003CE7668F,SHA256=A9D7651CCB1106E0B8F76B23408396443B544CFEB9AE60C96475A2ADB898FF99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:11.513{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8043F04902BBE54544682C37CC7F7DB,SHA256=7B768C59C9A631D8EEDEF3DEB5FB2E09FDC9391505E0BEEE8EA84AE0D103E527,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.919{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.889{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=1B80EF8F2BA392FD93E40B2C2F5559AF,SHA256=2691E75B38FAB609D5151B177F5D68674E46A3E15CB40289BF3C33E5104E8317,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.678{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.675{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.099{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7015473FAC658136C7F4E6E44198EBA2,SHA256=CA5B6173F1318EFA6058C955DD34F502231F7A1A0DBB882E558AA6F43BAB28FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:12.716{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758F2C169EFE7A17BDB360E417787EF2,SHA256=A36A0C4B94715A0C783612CEF8A7EBEAD45E3B91C7B7D310298C573012A1C832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.988{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94A86589B9F0CAE88F080A40333C769C,SHA256=0FAB38009BA74D0FE38667ACD1CE5D563303369DCA27FC9CD0765D7D5291B136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.369{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.162{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066712347901227D8AD8FD7D3621AAB,SHA256=7BBB7BB41011138F90E503E54A42813FC55F96EDD2A785FFDFC64F5C4DC10AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:13.794{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B11EC082BAEB3E205DD50C56908F8D,SHA256=A662C8BF99F5B11BF41185B5FB55E287BDE0D25878B85ECD7DC118AEA22AAF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:13.222{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAF193F4CE54F752FDF504785B02DB8,SHA256=566781A64A13EBB8C8CF4E42EEAB2B8BD658BA4DCDC71F964AD2A8E69E85E143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:14.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87D6483E4B50E214D43DC3F825B9FAC,SHA256=E7C724363E496994EA2608E7FF2B540ADE10582B75D208AB1C0D8C141F4C11DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.972{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.961{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.950{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.944{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.943{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.940{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.932{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.931{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.926{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.925{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.921{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.413{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.412{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.294{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6648FF478E0DF15A25B51E2EB9E78E5F,SHA256=FE870B99AC83AA1F2FB5791A5A361C8946854FDDEAFF069926FA9EB4D2BB1479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:15.983{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DCBDB2009DA0FE603F0EB6EEFCC817,SHA256=F0DC7270804134D21688B9FF394DF44CD82FD1EBD28E8F41416AAEDBF04B04A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.353{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44023631CD6C2AE39BE46C183F9283,SHA256=7B00699F00D88525A1F46E4B98501F893791C9F71A853C3E15E0C6286230F020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:14.062{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50040-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.047{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.046{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.044{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.043{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.041{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.041{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.037{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.025{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.010{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000039883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.569{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56226-false10.0.1.12-8000- 23542300x800000000000000039882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:16.426{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881BEA71444101670C3E52449FFA9D9,SHA256=7EC01980B31ABA5FF0695AA487178E36D9ADD8E11BF053F0E35AAF5778FE3D24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000015147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000015146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000015145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\AddressTypeDWORD (0x00000000) 13241300x800000000000000015144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseTerminatesTimeDWORD (0x63c7f15c) 13241300x800000000000000015143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\T2DWORD (0x63c7ef9a) 13241300x800000000000000015142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\T1DWORD (0x63c7ea54) 13241300x800000000000000015141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseObtainedTimeDWORD (0x63c7e34c) 13241300x800000000000000015140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseDWORD (0x00000e10) 13241300x800000000000000015139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpServer10.0.1.1 13241300x800000000000000015138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpSubnetMask255.255.255.0 13241300x800000000000000015137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpIPAddress10.0.1.15 13241300x800000000000000015136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000015135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.358{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2EABC7A5B1B5D42369ACB8E1BEC83B4,SHA256=2187721FEC90464BC064CD06A5E6ECF4AFC30E31D464A494EF26E775B42D4DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:17.519{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3395AC5A6824505B4A2E37DA9B23A9,SHA256=F8EA40BDF797F476B57EDB7936D9634101A4834CE18262B3430690ED3BDCCC5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.300{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000015150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:17.058{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E17E21F760FB2D923B13E68D2B48E1,SHA256=7BFA1F1DE7C49609A2B603A13B51AF912470251EB24FC8E655E8C9587646BB63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:17.176{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal49616- 23542300x800000000000000039885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:18.591{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6210AAA2D2DA64ACFD6BBDCAD3799,SHA256=84DF5BDE69A143CD632E01A7C3913C5DB02DCABA18B32FC98567992DD81B00FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.313{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:5891:e5bb:9da:ffff-59288-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000015153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.313{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:580:c047:29af:3818win-host-ctus-attack-range-933.us-east-2.compute.internal59288-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000015152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:18.153{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F7201F3D062DACF061A62A88835F9A,SHA256=288F4E6F498FEFC85D9A52548AD22397E9DA48E1AC55C74CF0794B73FDB2DFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:19.661{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A333F432362AEB4A1348F216A0C8CBFE,SHA256=1D46536E990FECAD7F62459235BA2514326FF4748651B781E6DCCC345ECB0A33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:19.231{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039EE3381E045A8592A4F1FEB3D15CB,SHA256=71D5163F82A2B860789882E6EB090102578F8DEBD6331FEF1A4F73C1D8AE07D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:20.755{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C7786C73CA6CBB204D32E27422520A,SHA256=53C715E9DE7C23BAACA519E2DC7670B899011883948A6120F00039BFAFCA817B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:20.308{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83F0629479B813AE9653A39A15A9A65,SHA256=1A94A25396BBC3F167EAB008CE9501AC3C5BA97AFD63B7728A39F9B05CFB6173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:21.852{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229DF8C4E46A22F51D6883DAAFF9BCF7,SHA256=F79648DA01676DD32853F83B5BA4B59A96184025FDC19B61D8E06281572557EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:20.063{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50041-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:21.398{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F11DB72E196B537B738E748B6ED4338,SHA256=ECB9BC120B825AF0D217BC6E9751C77AB38B2382BF9183D1832B54A425DAC55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:22.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6FE9E9CA6ED3986B1E78A62F62C58D,SHA256=1C029E7DD082FF2889D2DCDDFBFB6A0A86E76A4C791C2E4099EC8AFD03907B4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.770{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.759{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.743{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.731{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.730{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.643{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.603{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.596{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.572{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.486{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D865239FD0320274F3C5F698F232DF,SHA256=FF98E5271593B85F687D65E0D46F2516482B764A35F65B335B6B084D4520B88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:23.803{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF896B35B1254721A9B6A043B086B1,SHA256=A82AEB5139909CC05379A000DA5A6296571E05927DC25B036F0B89C3D4174A7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:19.666{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56227-false10.0.1.12-8000- 23542300x800000000000000015192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:24.863{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2267327D502A3A3174F9C5DA40A1822,SHA256=4059F25D071EB874AD09372C1A6D5BCB97189E7324D6D06B34B4DCC4C8457137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:24.002{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA318C2B0CE5AC663184E8BD27A58D7F,SHA256=F535C88F08158F705BEBCC259B96A3B46C4BE2CAA9339A5BB6C647475C8DA805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.958{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B5426BAE48B4CAD261C935C8293C09,SHA256=752E08E94A969DA849FE387DB4D0A7F6DE81766AD5302FFCF09EBCE6FA60B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:25.086{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB7FB04FBAC0EB6B44D0766BFC83F2,SHA256=14E755A6F6552134B95F4A31DA5B7B41F908416C122A6B9AFF4273008909F518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.655{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.495{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5F57D200D3B74EC70A64E966C2BD1FC3,SHA256=F50B9208454B401280C68F706976C594D799862321F4E327870BC6C8176C9638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.308{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966840C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.308{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966840C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.152{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21338ED302A416E61CFE41B3663AAC2,SHA256=34133A6839543347AF836CEAA2DE271757B90BEEED69B804D58AB451C32F6B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000039899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.471{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.221{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866448B0CF79808A8AA8353628E7597E,SHA256=A482F3D846C503926410AE8E89060F34A704AB35945D36CB7AFFF2D9F8D20448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.915{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50042-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:27.048{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AA3C9DBD0D966B19770A7FD7393E50,SHA256=78A702A5A7602F2C254D849696116C0A70F4A07A6DC0A1F3C32FC3721F5B917D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:28.142{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23BDE77C77CA741A917F3E99BD7629,SHA256=906CD3BA880ADF3C190D09C64A3FEE4B0167F83C792AEA456FD3D8F967964A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.295{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6516F0FB0C9E952C38C0C9552FC3A1C,SHA256=82BDB827C70E32DBBC13DB429AA78FCFC0F29922EF233C18D59B82FE77EEB58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.170{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.170{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E358-63C7-0006-00000000AF02}5736C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E358-63C7-0006-00000000AF02}5736C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.167{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.167{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:25.562{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56228-false10.0.1.12-8000- 10341000x800000000000000015227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.862{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.238{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9A36766E75C2967EC49B7A36C64E16,SHA256=AEAF6557D312372B7106590A29755E6A415589C1C2E466726891959C4EB51642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.193{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.191{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.387{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D033ABF78E2A3E0BE6E3FDCBFC5539CE,SHA256=D6FB67044AB90E56E0C7A4F9AD3551EC04F0CD23B177F5549746096A438AA1CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 354300x800000000000000039920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.944{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56229-false10.0.1.12-8089- 10341000x800000000000000039919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.101{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.054{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449D6313FAEB15C7CDBE6764D766B093,SHA256=6653216EBE5466D7A5CE1685D44338DFC8984EA3E6064CD3A96BF16A68746151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.567{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=366F49B3E35476D4FA79552B3EC73613,SHA256=D8E7E7F4C4AE376E2374D3407EED5B9517B6B23DD8394ABF54F1EE2AD06CA4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.567{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9504B485D3DBE7635CD6BB8DDE798E95,SHA256=672B41B9917BB97214A549145DF26B0592CC1DC7B108A5238F88FC97A537A2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.566{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F32FBD9653C0BE8C86601D310DC8957,SHA256=8FFAC59FC14959364CE2428EEB4B4845C46C3C22C1BB90B4BD6E7049120FE72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.702{FE4C2B44-E35A-63C7-0306-00000000AF02}69326940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.592{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D1B4DD4C5FE9FBC7F711708FB1454FF,SHA256=C9A3081D030EAE8BABE9906BF08E2095F9E41D10BF98823C873B20B4099CEEFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.546{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.467{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA09F96C6A2E264A5F596EE42259978,SHA256=71688391E5804B657BE055CCEF18E9F7791D44EED40F48662B1AC5F929D71E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.080{E5A8D418-E359-63C7-E101-00000000B002}3204984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.469{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56230-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000039936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.469{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56230-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 10341000x800000000000000015260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.757{E5A8D418-E35B-63C7-E301-00000000B002}34723500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.632{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F8E40417782C3F7081988BE5BAFCBA,SHA256=69BC82C48A121D8A8F6C874D0D5F68FD621DE56FB1C5238E34A95CE45E53344B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.573{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.809{FE4C2B44-E35B-63C7-0406-00000000AF02}70762296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.547{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A73D6FA8DDFA99E2919917430A96F9,SHA256=57A73DF27D8D79D6FF57938B161052F408ABCA61A923BE449DD97D4FE0F88F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.198{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB0F48746B23524003E92E2B0C5003F4,SHA256=C83CCB2A6805449D175D14B0E2C9B8BAD5C0CEE2348C60BC2E286E20F9BB3D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.953{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50043-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.836{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EFA09EDC8E4FDC1C0F1D87DCC8DE75,SHA256=BA9E1693E0BCC70C7EC68040F4EB21209D0012265C3C72088E80862EC0D06595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.752{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16972A01117324DF7C343D0864D25F4,SHA256=A49312494FE81AC68C9B22440F715E8A8E0D078982FAD71D7E7AC1C30CBA6B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.603{FE4C2B44-E35C-63C7-0506-00000000AF02}55641884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.557{E5A8D418-E35C-63C7-E401-00000000B002}37403048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.367{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.463{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.368{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E54D6D9CAAD3FBC35174BCB3AD5E6EAA,SHA256=53754D874BC7B15DED523E371AE6759AC3521BE521CA9F62159D80851404EA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.188{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000015294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.921{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B93DFA9C912D9DD0EBBDD51F70187,SHA256=2EC28E5032D34D330160843FAAD536DFFA7FD7014B28A358F186F3092562EAC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.930{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.670{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546ED0DF2BF8AD572EEF4255719465B,SHA256=834DDE16726E7720245C66F99AD3A4DC6E4CE3607B645C10D635902CE5C07A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.216{E5A8D418-E35D-63C7-E501-00000000B002}2923240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.045{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.320{FE4C2B44-E35D-63C7-0606-00000000AF02}57806972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.573{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56231-false10.0.1.12-8000- 10341000x800000000000000040002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000040024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.731{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B240F67B0920A5615C547341BAEDC6B6,SHA256=1E73BD17E54164E231328351D5FB6242ECF1E79E42EADACBB39BFE0BBFF97918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000015313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.371{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.284{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597B846C068EECDA33372EC94F9411D3,SHA256=9FAE7394E013F5E7AB5C4D51CEE5EE43DDBC00415AE0E497D65B5BF52BEE2DE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.212{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.211{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000040041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:35.794{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B85D20AB037C669F3E8E5D91BE020,SHA256=188D9486305E544EFD5DD0C85A506440BFDB1025BFE368865996F0BAD925FCC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:35.638{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5B859C5CAE4389DFB9361B2E1EE340,SHA256=123CD63E19312965FB070D3539662E5342C19F72222D1315395415C81B295A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:35.008{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FC6A932830A3D7B6DC3AA92B980913,SHA256=7D59A8ABA2E24D08D953EAE999852B3DD706CA529DBBD2687EB3BEF82A3294A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:36.876{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C994433C6649EFB893A246F958E6E0D,SHA256=C91B9D85B38F01514C236D3E0DDC1CD7665DD103D83A623829FE83B951AC5C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:36.092{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63174E7334A2CDF342F32E68A875EBE2,SHA256=D85AF5744E83FF82540409AE1828F7C8FBC515CEB61F9CC6D0448F713CA0C5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:37.963{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6B072F358BCBA302DB9A60995ED3AA,SHA256=9B4A267C7C7F290DBF3635D1EAC99B8FC08164DE2A6174BF57E40F3D812300CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:37.178{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AFE30F8615BCA1929B8B70D6BEC5FD,SHA256=F9C2AFE3C3D04E4282AE355D030352F240BFBB57C4B2CDA558531077ED390F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:38.278{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044F262A7A340C25918FC6BF0030873A,SHA256=359293A93AB85F89F96736F046082387E8B61ED3BCBFA4DA4C4C115AC919CF95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:36.112{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50044-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:35.728{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56232-false10.0.1.12-8000- 23542300x800000000000000015320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:39.254{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97F11D8A710C3330FE3435902D1914B,SHA256=ECA20DA1512CBC55DBB87B2A530E4E24F3DEDF9C3D83F2A91674DCEF5282040C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:39.798{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2586AB0660BCF87A2E76CEA3A9169BBF,SHA256=C46D5F15F774264A2BD5AE41AC80DF00793A3D6BB48A37D36344B4E66263C40B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:39.025{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A30200239D3F6B60038DD4673C2B253,SHA256=2FC44739D1638F1798EAE396586F943C90270742B90F558A52574D5729C8C8E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:40.337{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FC572A05EEF65EC33FF6AE0BBEEA1,SHA256=F103808AAD4042DECF62C0D09D6A6096B660FC893FFFD5D62C6952F258FBB407,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:40.974{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b36-0xdc6177cf) 23542300x800000000000000040048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:40.079{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6BDE004A3FEAD5F0C0DB96CF7F4034,SHA256=419140F3D68DFCC4B3B4CAB5007A66BB41C17A635C71EBC5C69A5A7F793DB04A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:40.044{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-038MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:41.423{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04851540F5042D8A50342B260260B7F,SHA256=D07D5C853A877B3CB9835B8D411D2940489582F64774A85B75DFC3A5039882A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.165{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8809BA77C0A084F4517895A38D02A,SHA256=A6CF3AE422A3B066013029CD7E6D58FEE86F07A1D0654A9D966AB7E56F1F8A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.052{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-039MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.691{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.687{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.669{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.646{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.637{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.628{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000015333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.626{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3E24861581B8482DDD1A5F02007826,SHA256=183039838E60E6D504754FEBF8A4A71BAA20FF77F3A2A9F234FA8DDEE373630D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.620{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.610{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.581{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.536{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.532{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000040052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:42.250{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837792722984D0053EE3BDD5507B9B95,SHA256=F1706AF761473492F2CB15CE8C413FE5B57DFC72CFBB20FA0807BB85601EB88C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:43.947{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0D16DB0A41955057E7D643178C6D4F,SHA256=73C9F1F938F07499BA374DCB202E31F2AA0063DA22F19C003390024169D01D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:43.341{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642DD4D60662B7FF325044FB2E5AEBAE,SHA256=09853A5E37B6DEB3739F1D70B6069F679DDE21E8444376E1B22468C9155C90DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:44.405{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C058656DA68C6BAC980939185BD552,SHA256=D08971B85BBB92913976F264057810DFCAA9C832ABB7ADD0E26A36BAD905E20A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.137{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50045-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:45.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42E050C7711DB9DCC3775F07961BC50,SHA256=31A9D6DC2B03DD01B73C67D5A32383763E9D5EB010C1371B50B91CC0F3148F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:45.040{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A144251DE34BA9E3FBA815C8683201,SHA256=C8CBED32E2EF151996A32C749423859B2D8B9378DF5DD1E72FACAFC12846BC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.722{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56233-false10.0.1.12-8000- 23542300x800000000000000040057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:46.569{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFB3CB4289E6435AB70ADAAB26AF3CF,SHA256=A7224577C0C5E48AFAB1C212A14973F8FA8C73AF6A7B1AD78D9950BBC58D59BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:46.122{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19384A5916125F87E567832F5C94879,SHA256=24500F729B97C324AE358F14C690BE97185A245E47ED7D7A38D4E17DA12858FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:47.640{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C15B0E38A4708EADEB253C2D4669B8,SHA256=597ADB62814942CB858C823173B3013D3C96BC4B8597F366CCEC9443BE26849E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:47.202{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB6F3979EC49CABD5214B85AA3FA875,SHA256=EFBA22F3A24D4D54952AAF9DE8E98EEC5790A790E22CDCB0FE882266EA5344B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:48.729{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D9E9A964926DFEA76DE767FFB429DC,SHA256=BB03B9CCC2C9CA979711442FE7E8374E863FA52CEFD579F15E6C9300570EBA0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:48.294{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3F660CB7DBF07933A6FB473FD85A05,SHA256=5F92F939946CC348E01B9537D8722D233872E9338D42EBEC15EADEB4395EDF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:49.798{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D21EB60BC764E4AABD06EB8EDDC7D1,SHA256=70A1CBC65FCCCA72BAB26723800C28E577891BC00674CDE0489C2BE1BAB22333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:49.375{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE3E69E8BF4D8EAF33E2B03FD8E5ECB,SHA256=2AF13FF6DB371B20B9204C82906CAC996EBAE63243FABA14686418621831D82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:50.882{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED835FA64391C2719C984C022EEC78D7,SHA256=33286F6228897D6295DECAFD701F6E83733663C97279C505E81B9EF49122268C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:50.471{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9C94955F59227F17ECD3D9EAFE7634,SHA256=82553DC4E50018A0054D68DE4F39FCF9E9759204E8593CBB09F4E7DB30CB740A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:47.667{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56234-false10.0.1.12-8000- 354300x800000000000000015362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:48.049{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50046-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:51.557{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5F2D81A2D4884E98B067A7CC2EB6E7,SHA256=E1A185E0E71271072BF8FBE23FAFBE698207BA65C5B70BE3F84F5A1B8C5E3496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.951{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E458CDF87D91631034205ECE7EEEF76,SHA256=2FF0B4E17CCC35382959EE8752F4D417F31FE44E645ECC414BD949B9AB4A16D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000015365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:52.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C660A08B5907604272E3C4E88A5D01E,SHA256=DA3ABACEFCE938F239A0BD45EBC6803A05E199CCA6FF20A370F784A6BC6C1EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:52.243{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 13241300x800000000000000040093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.129{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.113{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.101{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.096{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.041{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.018{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000015366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:53.757{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFDD2260AD07EF3C036FE684E7B21D6,SHA256=41B16C87818E3A08E8C774F9F3245F06C9A22C718789A4C4D17D837FA197C0AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.559{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56235-false72.21.91.29-80http 354300x800000000000000040096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.549{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57463- 23542300x800000000000000040095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:52.999{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8954849E40AF09C1BAC42BECE3528D75,SHA256=9879AFA4FDAB81840F9348BE421C9E27149614AA9AD143240B5FFF2F01A24AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:54.844{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BB200F5CB65EFB8A7648E6B2FF0BE7,SHA256=0D592DD9D832FED9212B39DAEBBD853AAECEFA44F229A72CDF289A389ED735C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.989{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.935{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.906{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.905{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.905{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.898{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000040120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.859{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap18804:76:7zEvent29155C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000040119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.266{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.265{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.074{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC22762BF80F8BEB11285BC7FAE0336,SHA256=946171D28E3E43B00AD2C177DCCBC328819BC258A9A3DF0ED0FD1566865DDE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:55.929{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1778FC3E27FE703CF14CF14262009B,SHA256=52178C0C864437C93D2A30FB921A3FA6CF8C92CA169D4BD37B418E7784112020,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:54.075{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50047-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.920{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=641CB6545C95502FB111D5546FEC79EF,SHA256=7C77E956798E83B56F07A177CE2EE5A4BB0E1D4C5B303D96700C12B4B4950B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000040157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85540E9AF3025EA269B95D1E0805C3A2,SHA256=36A163162819E3442E81C4077AD45406B1B7B699D1052018C638E4C416A9676F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:53.578{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56236-false10.0.1.12-8000- 23542300x800000000000000040155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.224{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E8C403FF83256ED8FEEC5C5005A1AD,SHA256=C2D92B28A675EDA123B3E2A5B58A4331CA98D51B0DBEB92C477784F669DF62FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.114{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000040167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.302{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.302{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.206{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E1F92513BAD71FAA1B0D7EB1A37995,SHA256=7BEDD49CB7658498DFB3C7FD518A1040CA0E5C0E652590F13D54DBF5096A0D1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.301{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E296F6F7C9B252DB45A5D5C45ABF8F42,SHA256=2E4B28B2E9CC217BEB5B8A82C708CB05B05C2FBBE7B12F872A82F55B93CA7375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:57.037{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFAFA72B74D795B452C6BC05E2EBA0D,SHA256=FA9A26B4DAABFCB057727B13A49084EDD8ED55A2BA3D1705F7D0A394AC5D0556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:58.621{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BE6BC7B2C261A044D9591D92B79A95,SHA256=7FB674CC479C3FB87276D48F18A0F820AC01F83432389E098B344E149980FFF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:58.124{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78771D50D6D8FC4D977900AB80460590,SHA256=9605D2CF832306530A944BB6BAB842BFCE74B62F57F092D7F23D734112976C47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000040216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.206{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.exe2023-01-18 12:17:58.206 11241100x800000000000000040215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.206{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchosts.exe2023-01-18 12:17:58.206 11241100x800000000000000040214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchost.exe2023-01-18 12:17:58.191 11241100x800000000000000040213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PowerPoint3to4.exe2023-01-18 12:17:58.191 11241100x800000000000000040212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\passwordstorageFix.exe2023-01-18 12:17:58.191 11241100x800000000000000040211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3_Rundll32.dll2023-01-18 12:17:58.191 11241100x800000000000000040210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3.exe2023-01-18 12:17:58.191 11241100x800000000000000040209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\googleDriveDesktopAlbum14.exe2023-01-18 12:17:58.191 11241100x800000000000000040208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ConfirmEmail.exe2023-01-18 12:17:58.191 11241100x800000000000000040207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.exe2023-01-18 12:17:58.175 11241100x800000000000000040206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.dll2023-01-18 12:17:58.175 11241100x800000000000000040205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.exe2023-01-18 12:17:58.175 11241100x800000000000000040204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.dll2023-01-18 12:17:58.175 11241100x800000000000000040203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x86.exe2023-01-18 12:17:58.175 11241100x800000000000000040202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x64.exe2023-01-18 12:17:58.175 11241100x800000000000000040201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\WoundedGryphon.sh2023-01-18 12:17:58.034 11241100x800000000000000040200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteKey2023-01-18 12:17:58.034 11241100x800000000000000040199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteDecipher.sh2023-01-18 12:17:58.034 11241100x800000000000000040198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteCipher2023-01-18 12:17:58.034 11241100x800000000000000040197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.zip2023-01-18 12:17:58.034 11241100x800000000000000040196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\READ_THIS.txt2023-01-18 12:17:58.034 11241100x800000000000000040195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\README.md2023-01-18 12:17:58.034 11241100x800000000000000040194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txt2023-01-18 12:17:58.034 11241100x800000000000000040193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ransom.html2023-01-18 12:17:58.034 11241100x800000000000000040192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PlayServicesUpdate.apk2023-01-18 12:17:58.034 11241100x800000000000000040191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.pdf2023-01-18 12:17:58.034 11241100x800000000000000040190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.html2023-01-18 12:17:58.034 11241100x800000000000000040189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LICENSE-WhiteBox.txt2023-01-18 12:17:58.019 11241100x800000000000000040188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\hoax.txt2023-01-18 12:17:58.019 11241100x800000000000000040187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\desktop.ini2023-01-18 12:17:58.019 11241100x800000000000000040186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\decipher.sh2023-01-18 12:17:58.019 11241100x800000000000000040185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\cipher.sh2023-01-18 12:17:58.019 11241100x800000000000000040184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\bg.jpg2023-01-18 12:17:58.019 11241100x800000000000000040183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\anubis.sh2023-01-18 12:17:58.019 11241100x800000000000000040182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.py2023-01-18 12:17:58.019 11241100x800000000000000040181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.ps12023-01-18 12:17:58.019 11241100x800000000000000040180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.py2023-01-18 12:17:58.019 11241100x800000000000000040179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.ps12023-01-18 12:17:58.019 11241100x800000000000000040178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x86.bin2023-01-18 12:17:58.019 11241100x800000000000000040177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x64.bin2023-01-18 12:17:58.019 11241100x800000000000000040176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x86.bin2023-01-18 12:17:58.019 11241100x800000000000000040175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x64.bin2023-01-18 12:17:58.019 23542300x800000000000000040219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:59.823{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FFFD291B0C60A507F36036FFD84E871E,SHA256=C0945FDCF881C3B537AB41E279188CC65AC4ACAC486ECFDD1A776E54865B00E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:59.792{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB0ABBDF9DEB3427CD0BFD147B46EC0,SHA256=44977096A91B2B6F1D85F00C57F4157DE0473C3A8D289F97E3E5E9A6E389FB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:59.216{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B47EB3A892D6F1418C2047DD2D78E50,SHA256=34D12B998BBC24495C7EC717FA2B1C608A8CD28FFDDC7A84ED536318A7BA8C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:00.878{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF62B76A83674036A0B7F0D771B1BFEE,SHA256=8EDCB5AD4415B66858FB7359AE266D223D21396C4CF23F6373FFAA014514CEB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:59.111{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50048-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:00.298{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF3130F34FCB39C6E5E5E7F1574CC32,SHA256=92F7F55EAD6094CB90E95A58D7838B47E0C57F29E413F6BB128A76F3B050DB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:01.978{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E74421F178DDCC7133A4567AFB78CA,SHA256=5D41E4C5CA7B2EB6335980A2C7DD370C28703DC70FF73F456B06DCA5275DF67C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:01.444{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7CCA88BF42BB1AE055C7496B2F3C147D,SHA256=4C9E28BF008F67057EBABE5BA09E8E18CD7149DB9B11AA271B1050095364EC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:01.382{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268346B7250058C028DC288D8D3FFCEE,SHA256=2D771DF360C8D66F562AA014D42FD6A3C67BF182D586670CF7DF07257107C13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:58.740{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56238-false10.0.1.12-8000- 10341000x800000000000000015408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.743{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.729{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.716{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.694{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.683{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.681{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.643{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.637{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.622{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.542{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.533{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.531{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000015377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.490{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914AD1F9988236D1C6788DBFF79873D8,SHA256=9349C56181FAA5AD715678C6A0631CE3A590D370231F5567DD5D1299F48D036F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.968{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.718{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3283B7C1C3F3949CE049A7A752072B,SHA256=A3BEA6FC36094BCE39ACDF61F9D7D19DFDA31668024837E7FDDFD3E3E7BA6BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:03.091{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9505E1F7D313399C5926A6B76E6A6BE9,SHA256=A04E9FDABC26BA7BA7C459AA680B4C1068DADEEC37360E04E25F5DCE1E90BC20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.349{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-029MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:04.358{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.870{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02252041A038F13DFF32D2E069839999,SHA256=E9877520B8684264D3314661E321A48B0A6F88A149C5F646B587965D517A8249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.832{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50049-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000015413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:05.008{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A23C4151C842A8F0B34A9D2784D048,SHA256=640572F6BE6C8E479C51D49C11F64DD705A224831A8B5F87949FD935CF82C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:05.255{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B992AA7534B9E37569A512A3C0D72D,SHA256=CEAA2044538749FADD3E5B5C58CAAD969AD09C3D5DA35C4C6464B5B85B7DB178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:05.079{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50050-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:06.105{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810FF3AEE5639A3F95A9C03BE62DAB53,SHA256=1F97364EAF679886046BA825DF76D22E0DC49DBF4D54ECD1C12B946852C222AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.665{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56239-false10.0.1.12-8000- 23542300x800000000000000040228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:06.314{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2290D71BEEE6CAA1793E3CC97208B9,SHA256=A17BD9F9978B0E8F6847013EA6E7252F1A716ACE231595C39CE711F9822E24AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:06.283{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:07.193{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B224665D1D9003B511C3FF273A641,SHA256=338718E64EAEFCC9850F6B1B3B43A9E043A26C4E665C215DBF7205401CF4539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:07.406{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB23EBA1275B6FA1FC106EB40B32E3,SHA256=EC8F32512DB66BB98D145E1C3EFE474144F96490BD88F215EE57E0340CB1ED66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:08.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC59FD03636D14C4D2F1715899CD3240,SHA256=4ED4072456DA7EBEB745EC851557D58531D42357E6351FCAF87929EF77FD7141,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.956{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000040235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.940{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Config SourceDWORD (0x00000001) 13241300x800000000000000040234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.940{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B.XML 10341000x800000000000000040233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.940{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.940{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.486{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B63CAF8F431B22671C990AD5617ADB,SHA256=26D272718C876F8F024A8912642B64CDE376FB6C7DE380645E09C3DB4E4FF084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.559{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF74DAF87F87691D380B93F6A8B923B,SHA256=7D023EC06909727DE40A79CA3763646DA23CA65BFDDFAA686796B46A38B66CB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:09.390{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0861D7DE21D31CF25DD4C65FB3CC2146,SHA256=F0087B4EC5068A55E53D772F8395AF84D3456B763E1C910B518AD2CB86621018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.853{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63BF3F712B4375882C83EECC98DF980,SHA256=71AFD9CC279B9CB37502D589A76C78748F0D9997C9F89549F1A44D97CEEAD611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.806{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.806{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889D59BFFA5CD0693E82479388F35A8,SHA256=BCA2721D6ECE9EE3465F2E1A659679B39965967E88A4A1AD9D667DD23CFA334A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:10.484{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7EFAB9131BD3029B9BBBE440C88E83,SHA256=F495A9987B566106E28F8A6A5D27662F09DFEAD50F3FD4EACEF456144FF8F9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.429{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56240-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000040241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.429{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56240-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 10341000x800000000000000040285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.684{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.679{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000040261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.122{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56242-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.122{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56242-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.281{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56241-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.281{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56241-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.617{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94987FA991ED74DDDBF6F0CA03C5CDD3,SHA256=F34086B8A2A08DDEF5F7D31756386151688A6A0C35B863C4137D4A14B3913C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:11.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF018494C46E5F5CEBE5CFDA347D13C,SHA256=A61EAC1C98A2FBF91499E1EBF970EC40DCE2FFE26BDA4B919DFB84B14C6CB471,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.623{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56243-false10.0.1.12-8000- 23542300x800000000000000015423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:12.663{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A050130D41A45630DB2B882B45E2D577,SHA256=788751A7C99F01A9510E9C54CD226AD8967F7B2C36DA9E7BCC005ACC3EB4B99A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:12.221{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 354300x800000000000000015422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:10.081{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50051-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:13.750{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C624701E45F433AA24180D62F814AD3E,SHA256=DF3CAEA60F298992B9A8171A8EAFEF5D4DAEF1AEBA6F70DA474186A89C2BEE1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:13.752{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0710C39AC75FEF28CF6BE525D78B542,SHA256=7498208AB5BC877D2C04D888CA93466AB7C2BAB16E2744FBD26F99416D43D60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:13.047{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D7A5B75D5B612C52F7CB981F64A984,SHA256=477D22C02F213E8D9CC97727F418244CCF64B71D2A46E3332B4512016F947CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:14.844{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990FE4BB652F0B73A10B16A473E2965C,SHA256=3920B9E32E5DEA0A95C6CF2256AEFC8C81701F14E206766467108E1F73C0CE05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 23542300x800000000000000040303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.779{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBABE61AC3B31E757FBDE786DDA4F77C,SHA256=88694B2D7AF3C72FBE83CFE067F0022E4DEB19C253E23B711F28DF3C07F53AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.253{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.252{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 23542300x800000000000000015426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:15.933{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4DFB2EECF6C5CF133A2618DD27164,SHA256=3F1B2E59C51AEE76FE7431927B3A2FACD64FFD12264AD74A22F1E996C4F8D3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.839{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62FAD52D2DA3D9BAFE98F0864A403EC,SHA256=E6E752C99130ED7DB8C65CE2888DB0A0BF55EBDF2D9B24DD99A9C6BB7249EA10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EE8DD109B86FE21862BF55B2B5D1EF,SHA256=A5FBAF23397E6CDC60454AB3DCD77AA99B7A239F34572AC30C57D380B40F0F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:16.372{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7AFA33D1716F61B6A0D77BBD0EF2B2B,SHA256=4CA06DDCD1C17305378E3F892728131695179BB4CAC5ABABAEA02E94461746D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:17.028{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEB297E37F8B8020366D68D70F7DDC1,SHA256=795F1F3639FED2AD26F1D9B20EAA8CDC4E1D08BCD79F209CD89E26CA53662538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.971{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 10341000x800000000000000040334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64) 10341000x800000000000000040333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64) 10341000x800000000000000040332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 354300x800000000000000015430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:16.017{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50052-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:18.114{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7218E07E9C04295BAD9BD0DB5B7D356E,SHA256=8298AB4D0202EC35D62C0D1CECE825EDC6AA2087516288A6FE45821E29A2AE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.559{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56244-false10.0.1.12-8000- 10341000x800000000000000040396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 23542300x800000000000000040381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.385{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C133A33C83F4F1594FCA4306FAB4A568,SHA256=8D6632284EF7E7C428609703C485BA4660D8E0C3AD74CBBCCC99783E0A165020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.354{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000040379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.354{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000040378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.282{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64)|C:\Windows\system32\explorerframe.dll+89a37(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64)|C:\Windows\system32\explorerframe.dll+89a37(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64) 10341000x800000000000000040351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64) 10341000x800000000000000040350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.269{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.269{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64)|C:\Windows\system32\explorerframe.dll+8813f(wow64)|C:\Windows\system32\explorerframe.dll+88204(wow64)|C:\Windows\System32\SHELL32.dll+c262b(wow64) 10341000x800000000000000040343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64)|C:\Windows\system32\explorerframe.dll+8813f(wow64)|C:\Windows\system32\explorerframe.dll+88204(wow64)|C:\Windows\System32\SHELL32.dll+c262b(wow64) 10341000x800000000000000040342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64) 10341000x800000000000000040341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64) 23542300x800000000000000040340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.018{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CF769BB668ACFA56E2E02760E3CB5A,SHA256=470ABF1FAD820E979FA40C9CBFD150F8950E16FA73FDE6D99FC43614CF49BFBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:19.307{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2373E5A0A920302D1B24310AED5262C,SHA256=87A3B87CF037CA381A2910AF46D242194AD089C26EECA8D0193A7E1BB1C4082F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.846{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56247-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.846{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56247-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.832{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56246-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.832{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56246-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.818{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56245-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000040401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.818{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56245-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 23542300x800000000000000040400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.513{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58599B16349701396735E3ACD9AB330C,SHA256=29A29DA8DD5E91E62FEF9793AB5031EDCA6B7280C1F67CE3325882792DE9EC78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.513{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984F63504E4B8FAF58707F3B0D74A751,SHA256=D3F579476DC7D87F26E59E05290584723299594BE587E9CA7A5503AB677A5CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.145{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=44720365740B1D57E3DCC2FD521A540D,SHA256=D956064C4C93C74D4991781C180926CA082E1F4D0141C39B9331A1358C2BD9A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:20.393{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3446131CDEDA9C3BDA527C4BA1D693,SHA256=28042B3E9C9F22550BFAB97FD0C6017823740F1AC2759AE1A70AE5E43D341ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.991{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B47143798376C062EDB2CF8C7FFBD5E,SHA256=A69C7067DA0F07B780F6EA49A762E67E7F59BE062121D8744D3789E96C35020C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.735{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.735{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.686{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.623{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.556{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 22542200x800000000000000040425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.841{FE4C2B44-DA03-63C7-2900-00000000AF02}2712win-dc-ctus-attack-range-271.attackrange.local0fe80::8599:7e7b:594b:6e25;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 10341000x800000000000000040424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.252{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.247{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.247{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.246{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.246{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.240{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.240{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.209{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F360B4F86EF4C88AD1769BB14434741E,SHA256=F60B0D9FB3AC5224272EA2142D9FF0E9B60A33E56941D45C9665A4E777C6F544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.177{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64)|C:\Windows\System32\SHELL32.dll+419591(wow64)|C:\Windows\System32\SHELL32.dll+418519(wow64)|C:\Windows\system32\explorerframe.dll+119b4f(wow64) 10341000x800000000000000040409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64)|C:\Windows\System32\SHELL32.dll+419591(wow64)|C:\Windows\System32\SHELL32.dll+418519(wow64)|C:\Windows\system32\explorerframe.dll+119b4f(wow64) 10341000x800000000000000040408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64) 10341000x800000000000000040407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64) 23542300x800000000000000015433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:21.478{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA1BC72A55C1F8D03D16E44A67C5C2,SHA256=A2A1106EF71D6F8424122A6041A2F6AFA106C67AB2FB97F1D28D61510C149C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000040443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.210{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F503E69513339D5370F9F6C5927E5CED,SHA256=AD39742737DF834E7E65E81D52C2E3DF5533ED83FEE695C19BAAF19F8BDB30B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.729{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.724{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.721{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.720{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.715{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.714{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.711{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.709{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.704{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.700{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.700{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.692{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.690{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.649{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.637{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.627{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.613{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000015442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.581{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B50F7AE239814BDC848C017D40C419,SHA256=89005F68A474B7906B82084AA8A1E6C4950F189DF0B2452FE4652CCBAB70CE52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.574{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.565{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 10341000x800000000000000015438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.542{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.539{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.537{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 23542300x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.282{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2FCCA881FFAC518662D308F25B0A86,SHA256=919A72B1BD6CFA12EE9DC4C9BD3160526CBFBFFBEFFC337DB6865BEEB536E35F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 354300x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.705{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56248-false10.0.1.12-8000- 23542300x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:23.355{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBAE878639163918BAA5D74FB22AA04,SHA256=00FEDD6C2A638A46140A15EF9E13A8572DEEB8713D9A59A60E7956AF14F24F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.648{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AACA098F7C9E0F7C402E576ECB4A3556,SHA256=6255B87E0198A11F57F525A7D8721EE75CD4E2E3CFD85F12789AB861C86FF007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.436{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B2BE13646222B5B1A3BF6E83392344,SHA256=F02200DE4EC02A08C025505700248F2DE6C3AE98D416D318A6AE2BEAB267673B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:21.996{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50053-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:24.051{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E903CBFF38A87E9B90CD92F3B49C1DA5,SHA256=E1F0F426726A3470DC566E47C4F211E2F60ABD6003FAC947C8E61B8F894077B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.511{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D956BE581B4A16014191FB3EA038CA2,SHA256=BE2A4243307324C7979307E9AE38DB73F1F586E54E8C954D530F891D29DFFC16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.171{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABF269F8775456805E21ED2D88CFC21,SHA256=6CEFED54C306FA8080A4F408EC23185D4001843932848DF9B31D33A9A5BD82C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.898{FE4C2B44-E318-63C7-EE05-00000000AF02}34803804C:\Windows\servicing\TrustedInstaller.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\combase.dll+7d0d8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.602{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E60C833C50CA2E80B9109BEC2922F6B,SHA256=F4CA2A36DE9E7A34F96C108045921206C455901F2629EA5C844A330D04A23C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:26.255{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22BC3DA35917C34259C7FB881A14E99,SHA256=4E3EAC7B448ADF92D5EFBAE2FB4EFB3190E9499690967939A87D3A489045F78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.508{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=68D8760F1E27AD1CD79F124C8C54029E,SHA256=9F1DCAC3A76D82DAC216BECD322683536A13A96CD531E4A2583BBE03F476A52E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.115{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.115{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.100{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.096{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 23542300x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.694{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1642AA38DA3AD180EDA2699B876D8B12,SHA256=EABB62D8CE5739752299188FFBBD5022167D5ED43B2782809D9FEA8588E6B3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:27.347{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA077AFEE102E02C86F6643A0EEAD8FE,SHA256=B724ACE009F440C92DAFD01F047F2C05433C4C57BE21AB2F00A522AE2CC94FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.522{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.491{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.141{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42386A2F212B87A841639F7E4D6E2413,SHA256=5708B2FCB49800E312FCF2F99DC82DBE4ED7DA5A2A30FD56B9D455B19A92FB6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.962{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56249-false10.0.1.12-8089- 10341000x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.886{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.880{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.880{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.879{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.879{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.862{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.765{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8932ED7A25338E54A66A1B66EFE6609D,SHA256=A60F87D68BB0F6CFE62DD77EB0F3EB53C62EDC74BFA48411607E9237D1119067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:27.118{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50054-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:28.442{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB8BE85062AD0696CC3CD6643D573B0,SHA256=EBA656E9BE2DE907E97435A112940300B0FDB69D71BFDDBC62C151CB59F43534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.900{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.970{E5A8D418-E395-63C7-E801-00000000B002}27842760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.768{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8BF54E86EEE121611576EF06F6377A92,SHA256=8D1AE3BB2265EDE9E54A1D4651013B004533BA0F91D90BB5AA9B47E0AF9F263F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.526{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C31F44A71C9CA839FE385CC55CDD63E,SHA256=1837D1B980C32AF892FCE26FFBE57C53A252E9E33F22AC2888ECABEBE9C8521B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.147{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.115{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.100{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.763{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1DE922E8817FCB13B4544C1264FD66,SHA256=3F2F73E005771B5DD3CC54AB6CDC9940D26A79ECFCF4507F2D02F8360BB732CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.701{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E39B0F2590E960E4EBC9084CB9FF84C6,SHA256=8D87F958DEC86C5A6E4BCB1150FCC0C19B03804A2524E3AC34A923B4BEAEA27B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.936{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116530D6F7534227A41AF201619A682F,SHA256=2A795DCC8B4386042A2C60F7707A50F3E5B98719C4717A19DC73781ED5CC511A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.732{FE4C2B44-E396-63C7-0D06-00000000AF02}32126788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.561{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.204{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30B0EF832DB5CD3CF340CDB0EECCC11,SHA256=0FEF625F190C7110CC4DF157EB6331046670200683803D91F79656F48CB16E52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.032{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A28EDDD4F82A5D6571FA1259305AD68E,SHA256=71A795F5A9A9EEF3B4B2B0D29EF3CD9060527FB4AE549512C325BC660319EE7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.726{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56250-false10.0.1.12-8000- 10341000x800000000000000015519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.434{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.261{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A493B06C7509786ABA78A18D21C08D,SHA256=353B32C752ABE6A67B766214C5612C27BCB4652A4662D9A35D8D5F1CEAE7F51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.742{E5A8D418-E397-63C7-EA01-00000000B002}6082488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.601{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F293A13F8B0AC6E71698B9DEF8C708,SHA256=FA60E156083562806E1C5C670C9E5F4FE2E49EDB1E393FE7DC6924E452FDCB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.950{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BC1B558EBB2DEA21F37345BB7D0B97,SHA256=22B5C151EAACA213890FE2B15D25E991DF7ED5B1CCECD7741953DB80B886584A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.857{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB69A253ADD84528BB5568014695A7EF,SHA256=8D5751D13111621342C2A816A49D7AE4F44D53BD6D0AF2CC664BB5E9D68F53A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.773{FE4C2B44-E397-63C7-0E06-00000000AF02}48604320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.586{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.595{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F751952F4CE9AF9DDBCBC9547184336,SHA256=9563EBFC0DA3AD2ABDA069E9F17F48B192ECA753053EA91AA95EA9D9655B8AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67D1F9DDD9494EB59BD9E474C3428482,SHA256=C1B3F8A444870D0FAD6E7605BB3475C2FB4BC528761DAC65C7A628EC78C4E932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2023-01-18 12:18:31.433 10341000x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\output.pdf.lnk2023-01-18 12:18:31.417 10341000x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.storage.dll+3cbc7e|C:\Windows\System32\windows.storage.dll+3c796f|C:\Windows\System32\windows.storage.dll+3c8ab0|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shcore.dll+3db72(wow64)|C:\Windows\System32\windows.storage.dll+cd272(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64)|C:\Windows\System32\COMDLG32.dll+26b78(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64) 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+cd255(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64) 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+cd255(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64)|C:\Windows\System32\COMDLG32.dll+26b78(wow64) 23542300x800000000000000015557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.692{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F83CEA9F5A16E86A20C9B676CC6FA4F,SHA256=4485FC70854D53B2CBEA49E8C08F07A0AAE4013F4FA9F770562A142547353CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.537{E5A8D418-E398-63C7-EB01-00000000B002}18843544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.381{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.620{FE4C2B44-E398-63C7-0F06-00000000AF02}52727148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.620{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D5D0A19EEC7947F8174DE99AB722C0,SHA256=1DC6685AEE686C342CD00C6DBBEC1EF73E9CB51EE9530952669793C1117114E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.480{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.792{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA5162EC3B56A2ACD4943A87B842138,SHA256=28287241BC96F034F6F781890510C923935BDE4E2B438DEDDD07EAFD99B96008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.213{E5A8D418-E399-63C7-EC01-00000000B002}33923892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.027{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.022{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.023{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.923{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.190{FE4C2B44-E399-63C7-1006-00000000AF02}64246476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.045{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3BE6FFC4D2A1B37B537D5DBC1DC821,SHA256=0D2C16F0B9D231189BF15CE8C0173992C830F82981EA6FE3B8FDC98B639736A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.968{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50055-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.898{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26C6635F5E91851156D3F2508634441,SHA256=C042EA3FE7AB5AE8844805B0CD1478B402D4AED3F084BB7256BA3DD35464C1AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.396{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.224{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.223{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.087{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E09995B2604F7E4372B3153FEB828D,SHA256=7103FFFA03AAB4F950AD03B327969D53194E51DE8C6EA6848C28870EC120B72D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:35.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD38B0C0C47D4BE34EB64886D82D6A8,SHA256=77ECFF2D6F8423AA44C0AAA944708066BC33112F571D1CBBD335A3209781A69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:35.150{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2BC6AA0B0A06DE89A08DDF2EEFECE3,SHA256=59C0D5BF749F937FFF7C91D986B6B2901355A9C63C6BB77F853DE1D0FFE5D12D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.865{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local138netbios-dgm 354300x800000000000000040768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.865{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000015588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:35.461{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0961F8A9FBA72D3D7F0CA2E0C1C316,SHA256=1A2C1AE4CA07E7677A0B0C9F28AAAFEACBEF67954B20FB16B6270C63E5A3B7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:36.215{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5569E65D7C6BC1B4CA769667192BD15B,SHA256=D30A9EA19DAD050DE7EA6E93DC7B8FDE60795461B92A4D7F01A33370E51D0307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:37.309{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E38D2ECC0BA3398C3324D1F225E8D25,SHA256=8053ACD97DA636D6EA72807363C8B0EBB3C0C1391C69090551A70392D17F61A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:37.070{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84031B8714F7E68E1FFAF44A1CFDA2A4,SHA256=DFEC31759A94FB9D39B7AD5EA167FF11DB552D515B80CAF6C4B07EC70A5BE6AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.589{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56251-false10.0.1.12-8000- 23542300x800000000000000040774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:38.392{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC7CDAB5FCD785CA57AE056A40ED204,SHA256=681BF8F0B3DA5D9A2E1BDFDFDCDD2336BD5F3D2E82AE4511A561B61B2C03A0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:38.153{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F82984348E195E5890F1C63B47D332,SHA256=B3369465D9ACBB4C4079F3E848FC0241EF3AD33CC192D43F53C78BC413ED7240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:39.471{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B297602E981436F3EBFF4E9760F9821,SHA256=C9ECA56855471DB38F3EC7BA3CA957A487445F231BEA4E3ACB9779B1C27CA2E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:39.276{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BEE6CBA0434F919FE1FE37BD4933EE,SHA256=E52F1C0E6B4F5EDFAEA0E9175818A202FCE5477B51911D2AAF5DCA831B8A4277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:40.544{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EE4AF88F5CB13DBC400CAF8AF3EDA1,SHA256=F4598EFAEF6AF3B3848C1F309AE08DE6FD4B55FCF8648B869BEA9DD9B81A8A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:40.370{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C35B653699954C3FDDF0325C35C598,SHA256=D083AFF951F81B85169A95AD6550D9708D8E36EB3DDD79B3D1C750F4D2388FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:38.017{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50056-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:41.632{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212906034002DD4D9914A7A91EA11F8E,SHA256=7B2E87DA883FC392A8849A7C392C207627DC91F7B7D034715C8CFCD6A105BC83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:41.580{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-039MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:41.448{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA01814E29FBB9D14DD6BBBB9DE02FEA,SHA256=D991AB952474895465C01CA852FF7FFA39769AF6B9E111E1A13AB3388F708F5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.758{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.753{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.691{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.686{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.649{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.640{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.632{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.618{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.584{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.578{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.573{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.540{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.537{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.536{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301472BB635804C341A3A575F745ACE,SHA256=B2EEEE6C28173A93B797F9DB319CE024AA7DC169566458600E5E2878B13FD71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:42.597{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884EF0F3668B10BCE56FD34E1EB5DFDA,SHA256=2CFBE45F994F1F1FA0AD6A147C0BB6660DDD327AEBAAC1E57A4B9A6BB272EAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:42.588{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-040MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:39.531{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56252-false10.0.1.12-8000- 23542300x800000000000000015628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:43.960{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58409BA00984072385297EBBB519F26B,SHA256=AA8BCF5025F882AEB29BA4E5951B1652B6F5FB88CB36D3E3EE30170A494E83D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:43.671{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8918E33CC8E8E897B2DE221F3226334,SHA256=760C6C9CA10FFC2EB4AAF00B1FA59C2D0164EB7722DDB1B16107EB3D61B8E994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:44.736{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFC98784AF6058DAAAAFCF1CBA7A458,SHA256=F5DF8DE942F7A84087000A0CF6BAB465C8FC4CCEEABD66CCD77CAC3BF3343282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.828{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DFE09CEB6AD4965F00FE7120A53798,SHA256=E127D74B370E801AED5D59AA0E52D3907D05CEF1DD93AE536E6AF307045918C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:43.088{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50057-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:45.035{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A239904235788318F51EBF83C6599D,SHA256=8BCBE14FBA057EBFB1C4C906866BF13AFF26619CE12F0CB694AD53D9B79033B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:46.918{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07B6BB63FE30517879F2019F299489,SHA256=8EE89DDD7E836E8ED0431FE5F144C6B13ED740634E3B63B463BDA60695F3526A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:46.114{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A904C8ADCDD7165C8662A9ECBA503ED,SHA256=1CF828E6A1638E14D2C42C25B2B81F5A873C44FC5AD06D4E9E709CF421BF6C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:47.979{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AECA0D1FBCE3D1F3D6421AE1BA8E44,SHA256=EFCE927EE4B7AFBF7D62A52FA3B4F22D5DE41547D08DCAD9E7B7E991595245D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:47.632{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3B59B3E053D9FCE1BCECC80D4B300293,SHA256=BC6E9DB9923FEA009EA18CE31F3980F112A3430C6B27E2A9F0975D80A61F1C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:47.190{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA3D37E44EE1184CC0DBA8BEC363760,SHA256=E749828B903AC23C74F9186D829BB4D3762577451365FB0BE3AB14D5D050D45C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:44.638{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56253-false10.0.1.12-8000- 23542300x800000000000000015634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:48.287{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EEADA2112F452D93FF459F772F80DE,SHA256=4510B3E1DC85A4AC68B2CCED37CB1857EB1B3D77A31749E37CC9EB787E68DD7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.833{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local57051- 354300x800000000000000040793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local61303-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domain 354300x800000000000000040792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local61303- 354300x800000000000000040791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9810:3ff4:6c3:ffff-61303-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-271.attackrange.local53domain 354300x800000000000000040790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60620- 354300x800000000000000040789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.831{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49876- 354300x800000000000000040788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.831{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49876-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domain 23542300x800000000000000015635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:49.364{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BF1C9374D73FF41481499F1B012FA1,SHA256=9E82911772B6E33706DF0F74870B2972F5899E06A1DCA78E356CE4E79D3604A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:49.039{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC241969F4E5D4E0F0F2AE6559ECA3C4,SHA256=452D3D0188B7DD75A7218C27C03B18AB79301B20B40961ACB48F40BA8EFE791F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:49.056{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50058-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:50.462{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B36CA3C2D78A7E02AE02A8781315A2,SHA256=D16712BC5D771318121E27C318038A1768CED86754B8DAC08B1B0A9B5B5F3D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:50.114{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B37431F5E5774367CD051861D6FB76,SHA256=33D1BE3725E3BE8BEAE3AD568DDF6455F904DD09076A4C9288A8BA1EF003D26C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:51.543{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C60B840FD5EE79B5817DDA5D6E2F36,SHA256=D341A6C1ECBA788761CBAC96C2395BCC43D5C2ADC152C83168D00B235F59D1CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.812{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=515D741B95347408C706D8D4C681538D,SHA256=07D88D9B6FB894BD541B690CB67414B3487FC55DF57882D496C9B4F8FF59AC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.811{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_JdxFYFld8sd9fA5MD5=70A7E674CD8AAFC3782D3458F71DF6B9,SHA256=EDBFA5B9A533B8F30394A75F1D9AE0DA102ED2BF0E8EF6D2C45353856293D1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.801{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=89B63BF9171A790249D1B1BDF3B5F9FF,SHA256=38A0B76F55F13046CC00877B9E7F56E9B579CE7629793CA01AF585399FB27C17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000040798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000040797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.207{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5174D217F7E3E4CF1C4F4F825A338B82,SHA256=860E65D906349EF04B27FB6D3553CA4C0C780A5B95E4CEE9054D87EC3518E460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:52.618{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9191160E6EA40C0DC4FEE47CA5DF61,SHA256=01BE8BE1ED385BDF94E546B338F74201A72EEB01C28CCB03DF95C35833EA38EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:52.651{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEB98406131B7779A1601D4A7C24B7C,SHA256=4D0A52CD58959AB1D88BCD0B79DF5B2DF59305DE911502968AA3F83EF998FD18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:50.522{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56254-false10.0.1.12-8000- 10341000x800000000000000040825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:52.179{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:53.693{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5839CF4644BEDC66937C7223BEABAE4,SHA256=927DDB21E7E6EBFA0FE323D7D769940790E3C2CC600F339CF19F7795FAA9C2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:53.659{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F48EDAC9B976DF2312B3F8BC3F7102,SHA256=8C266CFF7F1B3C608667C937763093BD4EE50A888AB0BBFC8ED631F39E8BF8E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:54.765{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A81AE2D895A48018903F5E7DF1E28A9,SHA256=D2E70D475D01B89CCD90505AEFEB96017C9A046E178D33066E6A8CF28C9759D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.714{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3880466F4358BA18061C3F7ECA5564D,SHA256=8888506CD8A109727F4636DA4EB8ABFD3D11DF18D492B74FF06AB87469C997A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.702{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.275{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=C4ED7FB46355B3445BC1F0F1BBA1FD85,SHA256=D710D66A913B12871CE037FDCF498445DAE5ED6A0CB48787CB88669BADAB0110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.192{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.175{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:55.855{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD9D53659A2174E86591F7E5B984039,SHA256=0C89927E51E007B62616739018D391901E6B5B317A420AFF3F1C6B7A342A72AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.880{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CB2A7B567FDA4D7F5836E867059AFDC,SHA256=F3CE98CE286B8C920211A7FA74F0780DD3B926B560C4B5CC0E6E2EB3C750D48A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.794{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B247F864DEA188CB259D3A350DD92EB,SHA256=B3B719D87B3783D562AE1C9DDA764F21BC3DB39CAEC3B2940BD7D835E329ECFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:56.943{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CD90D792F8FDE81CA5D9DE3395E981,SHA256=E5CB4A906F33089D413526F11153F935078B646882B8C34FA52A668111727D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:56.889{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8428DFF9E24517F6FE15362C04D8F30F,SHA256=93E2A91E1D3D2C7A0D0DC86114215B2EB6A6AE19C4DC65345BAE04B32D0EB30A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:55.066{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50059-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000015643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:18:56.152{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b37-0x0930af45) 354300x800000000000000040861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.304{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.304{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:57.984{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5896886551AE4B808D737F5E8194D6,SHA256=DA9819C80F36C5AA28F542D92898F6E312BF1D801EEAB14EB66595573BC11C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:58.052{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D576E55762B6710F955FB38E6BDF74D2,SHA256=8C4322A6964C99BDA3B5240693A51202C25E10E1BEB456DBA1F83CFBD76B2085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.656{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56256-false10.0.1.12-8000- 23542300x800000000000000015647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:59.147{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB3F1249B86944CCC5FF10722B0A5C,SHA256=1198CFDC905C779791626080E53268AB3AA599D6F1AC26C7BE4E3D954DFF8FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:59.064{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC69A80A932BE6F2F7B13464911F9A,SHA256=11A57777946B057CA3183FADAD1FD7BE13A5FBE1CFE5E5B6B002B0BEF6A79205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:00.980{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8B1959BF99833F16F711E91999518B94,SHA256=60FEB39E6E66E071ACE13438A2B2DB95FFEA6866C603C2D956CF826630101730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:00.234{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D5CE847A0D05EA2ACFB29DEF675EE,SHA256=8AA6BAF60130BEABFC1EF11249064C723929075541B2A546FB19D5283137343F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:00.216{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A1D631F0E099D79FF0E3D4659B631EC7,SHA256=456C35DEDF8808407EAF16695871B6D102A3A5272CE1DDB0886FB2BD02ED3FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:00.138{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDEA7FFE55285A681FEB95F33E4CCD4,SHA256=3CA8743CA4FFB8F4778711096D41F0B30AE527ECC4B76E26FFE98B64BD5B6E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:01.322{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4219CA102CBD12C8D29D54B324394CF7,SHA256=593B19EF47527418F0FC66D9C0A1E006AE9222EEBE867C76ADFEFB381217C0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:01.218{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801369A69B9C36EF6DF87A842C971635,SHA256=3CCCF31AC5465D4A9C4C1BB02D9824B54381363E2BBCA27179D44461D7D68F67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:02.285{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA9116B64715DE70B2B83F2837555E8,SHA256=B7AB05CCBBE2128C9159A497884340D313D9CAFAABFB40779680441D14AA6A02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.736{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.734{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.729{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.727{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.720{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.709{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.701{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.697{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.670{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.667{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000015665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:01.014{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50060-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000015664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.646{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.638{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.633{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.626{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.592{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.587{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.574{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.568{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.555{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.540{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000015651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.417{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2220AC703377EB85528597CA4A586F,SHA256=9622A5641A9AEBCF7639F6D5641F60362EBC87CF53B3AE8B29084051521A2775,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:01.524{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56257-false10.0.1.12-8000- 23542300x800000000000000040870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:03.366{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD3125534B7596BFE657057EBE0D5E1,SHA256=0CB7974126F60E8A0D104C97F7C6AE5D333F27BB9D64A498CB048B779EEAF7E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.985{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.518{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7713CF148A4B88EEE06C41054AC177A1,SHA256=B8E83A919845F64F9A3D0BA4A071CB218516C73962ED8B2EC9D23E1A4D1157FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:04.447{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86BEC949A8A9EE348410DA8B53FE2CD,SHA256=AA12577CABA957CAF3472845D3B27F4D3A9065F0EA47C00E08BFE176B9039B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:04.886{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-030MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:04.602{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27491F106B1F209FA799A04321AC9BE,SHA256=9E2009C2403097692683F645467FCFF94C43DEEF7A3B11933365307BA875410E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:05.533{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EAB3145936AA9B03B3031B9E25B6,SHA256=CF0F85905D4E2A6239E6DB2EFBBA6D874A93E2885FD9F00D5FDF080ECA0D4816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:05.889{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.849{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50061-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000015688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:05.700{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E1A5A851947587DD4B7B81B23F9E5C,SHA256=7C2B9EF6062953FEF163C9461DAA6027C73F248BE3AC229A62ACB98EED524A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:06.793{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F787612556D50737FBAE50927465A730,SHA256=F1ECCA227C2E0BF75793ADE4231F3476C3253C0DB6F90D874618AE5B36B4A885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:06.610{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E463BD621DE5D1D9E2F92D0B604F6DF,SHA256=58AC2018FCCD57E82FE119B1AFB37D365620E5C47593059F0F13AEEB37A07486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:07.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DAFF3B2C60B212EE700D8B7049CAF,SHA256=A557F424A153DC9F6A31C94185A2C8DD21E10F8A2484E5AEBAC37995AA2661D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:06.127{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50062-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:07.682{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A89CA1E1552F3CA8D5A121C3435F46,SHA256=A72A4566D83880274573D534FB43A9D9F6AC3788CC464A7DECF5F763A34A8B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:08.957{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A007411C2949BD8B1C798660E8D7E7A5,SHA256=475293D76404E448E305FA8552866B9A6ED2FA12D1418B9FE6511F38F6DB27CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:06.697{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56258-false10.0.1.12-8000- 23542300x800000000000000040876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:08.764{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D47CCEF6BB0B356C7D6CDEB252224F,SHA256=56763BAA7EFBB90B7A37477AF7ADACEA897A2230DB4B5BC4CBF9717D4707AAFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:09.831{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93118A583AACD2F525C0DB0879BB122,SHA256=BEF63EBE87059D74F35AAF647D988F6E2612A4E620232CDBE553625035EF9662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:10.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB249A4D72A71DCD5C4775EB708B1D80,SHA256=3A260AF291734B09E927677775663E57D765E80A4DE4B4DA38B881FFC1353387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:10.048{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5AAE293A09BD5049CF51EDFFB88742,SHA256=1E03C44A37C168808550F85F30A01B2087072A8844C18C03DC6D656AAE8BC75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:11.134{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEFA8FB6D3A11D40D4BAD271D8C8EE3,SHA256=D65EE49A5E32ED0FE802E79D06B14091B8303D3B7654EF3A0F8E0DF8A993D5BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.833{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D55DF38FD64A21F60293E02424C7A3B8,SHA256=0B6C28D7B6409B6571B627B0DBA6E93BBA5757F9E487F6EE38022A9EE011D93F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.833{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_OAMjnvcZplF4RjmMD5=9659E654B45026A06047B596A2C5B3F2,SHA256=AE31E85FFCBAB2848C1051EB9B1B37C340F560AD93CA1EE7FB18386A897FCB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.822{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=B9AD573AD60CE031C159A81D90F89442,SHA256=7DEF5CB9002F0D0551385BBFFE4BB3DB06592E58C82B315F48B0E45F69E8A7F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:12.225{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09643D2E3425107E0A9FE811005437D,SHA256=FEE7E702BAA746D1941B0A7AF4C752DF64CBF71936E5FF8FEBD48639ED164B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.227{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF10DBEBD99A6F66A2FF35BDE4658C0,SHA256=8F800DC0A18B1CC5BD3C15B3E4D05D9798D85724E00398B79A9282AF4EBB3F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.186{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000015699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:11.933{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50063-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:13.332{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A42AC522529100033D0BC01B960709B,SHA256=3EB9CE2E6ECB0FCD946E5376AE53468881508996A327C647D4E6C1F6017FEA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:13.267{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E4A34A83F523351CA6D9A44DF7413,SHA256=CD12B448469D752CDD089954BE7FB2E960BC5AFFAC076641C1D1847E5091F146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:14.423{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2497684B7EE8BD68D92D475EED6B5EA4,SHA256=8B2B109DD12528199FF40498D12DFB26C46C0F754ADC302A61556BA63C1E1E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000040928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.588{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56259-false10.0.1.12-8000- 10341000x800000000000000040927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.343{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=8C6F8F7FDFAF415C3333CF0E45EAAFA4,SHA256=B19EB2B80884DBD399BBD700AC7663CBCC7A2F61FCFC3E85BE648E9AC9FFEFDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.328{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2066AF9201951A97A6C4866903EBA0E,SHA256=ED53A59A7BB3F20D2F32B46B3C29958F168D8249F24B86322E80152CCD2F2908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.208{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.207{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:15.517{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E996C964977D1C9AD2BCF9E74A41EA7D,SHA256=32F977E1C3D35880125334FA013631FC4BE387E06F0FEEE6B81BBF4E09CA1EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:15.396{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309416DA3B552703AEF4A933002E0F40,SHA256=4317A39DC3805C8B8ABB558E6546932DDD9B4302665D1467A9DA27FF7BCC0DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:16.608{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB5DA17E06C710A4DAAB05CD5D2857,SHA256=75C75164F0E43CA2FDA7A164D89DC9C16846ED36D28F0809FCA57B94651AEE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:16.464{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC6C412E16E9E8C4CE618BCFC9CA1E,SHA256=4E6B483DC744C229CF45421179D8BA67230F75BE2311513DB1E5545059A6FC3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:16.376{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FDFB3F426FFC1B524710DDC8CF1C7F1D,SHA256=C81BD59B3E28F6AD56FA47215D1C6F73CC17348F865A27011739068F8EC31974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:17.708{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C8C34EF47B3E09A146C6AA711ABA2A,SHA256=E3D31C5770E7962B2BDF8FFAEA9B76215F8CEB48C8E648326B2DDCF23EE564FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:17.534{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28E0837DA6B7E5F7FE579A480B4B6A8,SHA256=E53AE36B2E7ABA33E19275EC42471EF2619FA5A5384257A0036E5531B7A632C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:18.596{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5319193977965C873F8BA529702BDF05,SHA256=6F67494C7E01BCFD291038714F17612225031237226D35A6F82DB535B6261705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:18.793{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E830101D92B39E9CA917F2B27879E2EE,SHA256=B2D2B9639AE4B301D987E953ADD76528102FB89983BD30D06D9AC9D384098B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:19.672{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2789534D561C465D64B6EC8509FEA6,SHA256=AE92B485974C51CF0E117F5770CEF244CCFCF5BE9801F444FB7E3DD2C0CB8CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.877{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0824F5583CADBB4A9976EE8BCFADA339,SHA256=33126767C4C6C6BD7A8B4EB884F8A7197C8C345228C2B9D5BEBFD0BA86F52D67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:20.775{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4472F0BD957AF30925C6FF5F03D23EF,SHA256=51CC6953DF8BF135132DDCE473F201574CB0F84EE71CAD55319C10DC2F6D84FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:20.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731253DF3D54F75D23EC0D3C9C88ED4,SHA256=92392C876B910D2080810CC35A08A741699AA39452029801BDB42B57807208E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:17.005{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50064-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:18.550{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56260-false10.0.1.12-8000- 23542300x800000000000000040942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:21.855{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CE203F47D70D1929C1512CC535BA42,SHA256=224ADDFEA50124C7240611FF9AF2C880711EDCA589DB8F448D45A0D89B787824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:22.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08F4D264CF93B88D99E17CFBCEF4F8,SHA256=4122B6149A61C08D97F0E0C7D050C2A99A362F2F1A7B64FB1FA849E194B63126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.847{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.840{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.839{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.831{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.827{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.824{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.823{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.811{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.807{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.797{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.795{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.786{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.781{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.764{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.596{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.559{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000015712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.076{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2900050B5C1D466C11BE6D1EAFF58942,SHA256=66C26DC9C366B8B6022395C687CAD89C3E111A67D807F9411476BACBD3193E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:23.990{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D2BFF5096B964FBBB12666307A3DE1,SHA256=BC58962FB9874CF2516DAE0111117B8326335AA0162326A703674D7530CFFAA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:23.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE97D5BA3AEDB6DA21AED2420DD3F239,SHA256=5CC97EF27B54D0182341AC09EA2C11F7F7EB828A3BCEDF1AD78AB14094D16E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:24.348{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75685D74D845BB8B424CA73E7D3F0510,SHA256=04C81F8F6F3099BBD46C9FA97EC8A02BCBEA216A3B19F8DD8FE8C333DE591054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.049{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50065-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000015751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.429{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC16D6DFCAB14AAB07BF3AAF942DC1,SHA256=D179A9BE5B9068D0E7FB9E19D24CC6053F7CC53EB02834CA2591861F55F491BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:25.049{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9832883CB74E0E746966A07A38C21D7,SHA256=6EA7319C20E49AAB1544A4057C88A0657EA1D78F7594967EC9D9F0C9C542DB0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:26.507{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546712946BA910DBF1D5409A9513F5F,SHA256=F6A35F3B6ECB1E0397032750D55C8DF3F38751A65D522BF2B62A68068B110176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.518{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC8D9E8CFF7C6C7A49EDF2C654172306,SHA256=4114D69E405E1903FF7AB230C8006FF017957950993492E5AE8DBDFB8EEE3D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.112{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78D74176BE49A4A3CC1A83780C3B41B,SHA256=73E7AB4FCA3411A60325126B4444775D8B0479305EEDDFC0BDB547C519F939CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:27.599{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C3420F8186D2B63F2E8B878F63DE1A,SHA256=C4445AB4C86017A2935DBEADFC1AD89BEF7260CD5B76A35358E57EB6416EFF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:27.513{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:27.201{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE427ABA5CE56C94E49AD51026E5FF8,SHA256=243ADF0FB796EC0265965C6CA4E7E3E51D9B3C7DAD90801EF88A54FF3014860D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:24.534{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56261-false10.0.1.12-8000- 23542300x800000000000000015754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:28.686{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF6F0F9C2AF3B92B008DE5247C12662,SHA256=98B6B7E1373DE5BC72399C5F07B417B6883212038F63C1DAC246F7E90C8A41E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:28.159{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FB75E8D157E3CC2530BBA9614AE28F,SHA256=D181AA4E3EE74EE2B0C471D37A565C79DBE7122DE5C60DCF1A0E910C0FACEDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.827{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.778{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17B86027CDE1A27E793F4671436F7FB,SHA256=451A1415B01AD26D916E0F29EA476C11AFC878FB17BB7CA1DD516D60580276BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.983{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56262-false10.0.1.12-8089- 10341000x800000000000000040969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.889{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.225{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F42B3F963666CC438B600C8202B9CF4,SHA256=753F95911AE341E26FF4DC129463371A5517D59546BB1DB9A14B9D8E5E27B16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:27.087{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50066-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=373ED92B0B2220DCB85BD1D08DB7D302,SHA256=A3468E9480F2266C92E107CB742F11A5F7EBB75044DA72D82C641F6BC5790D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.255{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.254{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.254{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.730{FE4C2B44-E3D2-63C7-1406-00000000AF02}63565528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.575{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000040984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000040983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002699c6) 13241300x800000000000000040982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xbb621116) 13241300x800000000000000040981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x1d267916) 13241300x800000000000000040980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x7eeae116) 13241300x800000000000000040979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000040978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002699c6) 13241300x800000000000000040977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xbb78744b) 13241300x800000000000000040976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x1d3cdc4b) 13241300x800000000000000040975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x7f01444b) 23542300x800000000000000040974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.418{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D963215F70C6C363BEFB8D583F84B78E,SHA256=9AFB121E0537807700E537F6B7339276D23C43AEBCB5572E26955F75C3F13BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.277{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A523283E6BF0A73241FFCB7E1790291,SHA256=4B09A2819DEF12EA099C03C767048346F4633BDDF49222E608B24F2DC1711484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.453{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.278{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D99DB1620EF8B0FDA24A220ECA0A45AF,SHA256=A64C3B4BE11617D8B470A7A8265768531EEC185C496802B07EA86056A759AEAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.028{E5A8D418-E3D1-63C7-EF01-00000000B002}26521172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7503399E6E87B99D9FEB3D50CFFE18DC,SHA256=70ADE20574781EB01C55D67C82D92F76835A2182207D79D243AEFA6AF4BCC153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A84E51D981762BC41B807D47087BC249,SHA256=BFFCCBE83BB6D0B831579C1D199764BB955EF1B7A404702568820307A77462AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.850{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2CD1D47A259CE82247ECDF2B3E75EFDF,SHA256=ECFEF3B9F8D663D098501BC56E84C022D5B361329F3A133077631CBB34846B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.850{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_yrThRSnRIHVNZJLMD5=0266F5FD85DC144C92E0217258FF2639,SHA256=E25234C93F40E71D1509D8C3571AC13713ACF8C1ADDAD6B7BC66B3107F3A10F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.836{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=80CD1F840AC5E815606422D4907BD282,SHA256=D07932583E199303742785BE36933B7EC3F351AC95BAA9B721545AD4E633EB7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.585{FE4C2B44-E3D3-63C7-1506-00000000AF02}46443844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.431{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.351{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9259DE27FB27BC71C5DEF3768F2D0B8A,SHA256=852ECB8AE67484B442E3381E075081EDDE7A9400F00D753C0B4AA052C39EE90D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.767{E5A8D418-E3D3-63C7-F101-00000000B002}28081276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.596{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.228{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26C9DCD52CC793961D242AB5B6EB50FE,SHA256=9E2E2329B8BFE39A9EB91381052BBE19C70129453D556974A3D9EEE7EEB8FF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.055{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6368942BF4C283F30E196B8CFBE52F70,SHA256=7FB118051D9ABE3AA06A204E344BBCDCFFB756E0FEAC074CCFB8F7F98A2FD08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.883{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.525{E5A8D418-E3D4-63C7-F201-00000000B002}37003792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.415{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.414{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.414{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.295{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.158{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F986A0AFCC441755A35D5FC5A3CBCC0,SHA256=3B46854CE4BF6A1AEC6D2532C60159B3A4F9E1C299F4B536E1B720BA55B49D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.584{FE4C2B44-E3D4-63C7-1606-00000000AF02}53406820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.446{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F738C6041547FB6A8CE1B0AEE7A3F878,SHA256=C58C08FFCFA630515983F63EB77E6C6DDC5BF5CB3333D17EEDAAEB22D6996FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 354300x800000000000000041031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.553{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56263-false10.0.1.12-8000- 10341000x800000000000000041096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.937{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.568{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D288693A9070E444A229479CE5326A,SHA256=462C1D91E96A9947D96D5FAFAD416A953C44FB323328407CD5AE5955445F4C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.500{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429C167E634FD6E13223C5A9DE9740C4,SHA256=552E842BED75384B81A649BBB3B2F1E965AB76A4508CF2122EDA592DB40AA114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.109{E5A8D418-E3D4-63C7-F301-00000000B002}35562900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.444{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000041086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.303{FE4C2B44-E3D5-63C7-1706-00000000AF02}69685648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.211{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.117{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.549{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8552701A1CC77E98EB43D7283376546,SHA256=F2BFF52AD7CCC55DB4BAA9CC9FC52F10B4A8974A3910FEB0AFE111C5B490A288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.667{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A8513A3142389F03B8F8020E4F8364,SHA256=98215EAFB1CD84E5E6A9C451FD95D1B43CE5DC6610E2D760444FEB17CC17F94D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.393{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=263F9495A47A9B02D545A48354304129,SHA256=7B662D7A28EA3A36884BDEAAFBEA9CC74F374B9473E9088E74664AFFFBF97F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.273{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.272{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 354300x800000000000000041098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.010{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61677- 354300x800000000000000041097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.008{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64234- 10341000x800000000000000015863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.412{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.020{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50067-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:35.636{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E777D097E201F5EF17ABD1D0BD13951F,SHA256=81DE227B53FA80822282B798A122C0DC0FCCE9DB398664A7ABE61D6D46AF77B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:35.766{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E8A6B286B7A104738F4E2733F1A0F5,SHA256=33FFA0ECF7EAD9553FEAA2BFF351A6D0C99656629CC8A50E13C63491F75EFEDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:35.520{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3457F5005F3FABAEBDF359A48D8E5325,SHA256=44CD7756DEC8258C5399CAC50D658A2EA14967B0E3043F512CC03C3C758A08A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.932{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56266-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000041128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.932{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56266-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000041127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.832{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56265-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.832{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56265-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.823{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56264-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.823{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56264-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000015868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:36.726{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4658AF919C86FBDE6163A9C728A64E3,SHA256=976D37BD5C39166B43F6893023E5F45255CCF3B5BFAD8D4EA79C743EC61ACB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:36.851{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A1A7C1C38FF79A18E0EAD1A92F9AE,SHA256=1F63E4E2E67C6D08B36D199BF4A5C192BBE7CC14CEF6C4DD81E446220D3F763A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:37.818{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15573BB507CE0471953A80E6824C4CE,SHA256=EE5FF21DCADF8AD40C7904F39FE1DEEB1E8603450726875C541FD9747A71A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:37.934{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E1560F9D106A5E3446D4D94EA647A,SHA256=B3B79F15D255EB4CECBFCCB6BCC97916449FF4943BB6E5807B2D01586F263BC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.647{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56267-false10.0.1.12-8000- 23542300x800000000000000015870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:38.906{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF27915B3BE448BD5E6B67E1D99B7CE,SHA256=D909DEEB40CFC616849338D69289ADD9838D0D6C84C83347C79B91B98167D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:39.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F36181FD24B14C1EBFB7839D243561,SHA256=FBC05AED674D7C6EE1640F8C21C26B09DF2323F8D684826726A9E4BCFB94FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:39.004{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CC860AB437A4F330942E127CBACD8F,SHA256=6962A778C6F603A8732A7181979E17764F4165E7D8CF6F906567E4AC2BADAFCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:38.023{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50068-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:40.067{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2367F16612D8D33E247CB80ABCFA0338,SHA256=065597D8230E009F8D8A4335FE7FD3A2E61A21C12D192F10FC63AB6817418BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:41.071{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A184F01086A7100F56A507D6133E0340,SHA256=83D9DDC9C9DA3C1C3956A8D8F8AF87F23337F5DB2FD57A044EEEF8C0FEC6D165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:41.147{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1518914C124DEFB19991FDABF5E900,SHA256=164C5230823BF873A49C9779FD21A8C9903888177D90E8D3A51148C3909C1320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.808{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.803{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.801{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.784{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.779{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.777{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.762{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.702{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.658{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.650{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.642{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.633{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.583{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.578{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.566{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.538{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.535{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000015874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.162{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8B54E4139081C988B1E74092B0EF6A,SHA256=C596D880CE6C59FE8FCADECAA5F48B8F5BC6AA216C2AE5E399D6F607B904C951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.244{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F4D62C9B66A976E06F02B983E0E77A,SHA256=FFF07FD2364AC82A83C6419E41EF048E5CA70EF5A74E94FAD6E3E31236796F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:43.594{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F758BF99B5E4E53FC57CA9BB66D17897,SHA256=191D77B08F9E97FAD6578575A7D2BB4BAA2C0294BBDAA3E68D244EAB7EF18404,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:40.554{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56268-false10.0.1.12-8000- 23542300x800000000000000041142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:43.331{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B413AA026C62517863FFA959EBAE2F4E,SHA256=9FF01CCF3ADD372DD8725C43C7D6B067CA972CAFE6C46DA79C848D66E80F027B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:43.108{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-040MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:44.646{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB3EC338465A8336B6CC3F6616F3F1F,SHA256=81BDF3391D6D0F7043F267831967C9FA97DFEF2B4BD75FF9045C56448D729FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:44.432{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1C691B44F85032956D49DEC675BD42,SHA256=F54860F3D8C3F4E777687D1749E3FF3AFD24A459B8AF11D0173B194D5079D07E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:44.114{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-041MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:45.732{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD3DB2140E497FC1606B6B9CD135CD6,SHA256=4E5A4DA8DEC130161FC0346439AE666AEE2F7A5BF1A9A2041C064CEDB8983F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.523{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4475D63A3DED8963F3C69BC0E583D534,SHA256=5D7D72AD4C3012B9615BA98BD66BD206F4182C555846F351B770CE58CCD66415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.280{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08B235229DE621DBB2A1C7DB409BC537,SHA256=8EB61F850D9BAA703DEAFA8A4E9E4F9F66C6E127CBADAA043A01FE30393CC3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:46.825{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5EFE13C85C6C9B5E31A6D6FBB4863B,SHA256=8C8C8F3019A820A9CD3CAEE0BAA3B61EDC789C512813AEAD4962059DEAC443F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:46.595{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB78E144B7D61DC30850D167C9FBC24,SHA256=95F38799CA93D7F90C83F6F8B14A06126789E41AF82FF977F333EEB5722C5658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:43.970{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50069-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:47.910{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462662F2B7EEFFE62D78D17D6EBB05E8,SHA256=C2509733D691475A4E75893D5CED8508144804B563B98778D1151744DBBCF8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:47.672{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85175E1553C27134C0535ED5C6327B82,SHA256=5BBB5734DA04EDB630971240387B83AB315B66DFF51CDEB152F7BC746EE22089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:48.753{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A8E41BE21769C301DFB594A94827D0,SHA256=7A736B42DC4550938C72C5651B648EF8267914E53EE2C3EA29D64A2587AD8482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.716{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56269-false10.0.1.12-8000- 23542300x800000000000000041152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:49.851{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C31928B12856D56C2E8498BB1A9660,SHA256=760922E0B340F9BADCDE97EB8D9D9BD221292F33188F8D5F904B3E708E356797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:49.000{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B2C27D6E32C26D410682564C86F54D,SHA256=DA3FEC5D5BEAB52190FC9C05F52E303AB0DC09F89AB0E92773140D9901CEAF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:50.945{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC090D177061B0BEDB3C5EB811BBB43,SHA256=A4DBC886F7793D2786628AA9E646AA3B2ABFB99FF9BCADACFF20E033D2EDC52B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:49.083{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50070-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:50.091{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA58EFCA7626CDCDDF64198C19B46EE,SHA256=621F036740903EEAAD449AC731792657E9647E11A3A23D3609B64B2454F4DFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:51.186{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC58856A40F9A0A1FCA83583510A6FB4,SHA256=CE7A19CB69C1C73BDF55FA861F7DB35486F8C5B1C00A237C0E3E913E39CB6C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=0EF1E14D462A19CC02230EF736506FC7,SHA256=C847EFB3ECE39F61C6DBD21E18BD3886174089EC4C5AFC370A8BDA32F64AF8DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_BJ0Crr7PNEz8clCMD5=F2326463FB9849F2710FBB35984E2A19,SHA256=FAA0D1BF65B649A3209F8958C993D37A2487CB91E7BF37B719F1347D3187E02F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.853{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AC6D85E1964B369E1090FFB407AD4630,SHA256=A5194CD8F7C556CEF41451667843FECDCD6496D81D73848DC3C05D37402C99D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:52.270{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FC62F5C6B1E4860648D31CC65BEE07,SHA256=F56C640F642F8A7CEBFEC55D6C50D16CFE21488864FE22657A3615DD00CC6E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:52.384{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BA529076F0904311C4D54963D7979F,SHA256=80BEF11786A190650B75C639440B396A506DF797AEA053F3E9EDCFE006AF505E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:52.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:53.336{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CDB71C78454D7100524DCAF14BD4A6,SHA256=C3F08D81BA12E006717A955724B0350063C95C30C9F82933E1FEA65268A083DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.608{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56270-false10.0.1.12-8000- 23542300x800000000000000041183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:53.275{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E88934427171686F8E2E4C89205E9C,SHA256=CF79CDEFC2F0EF000FB811CE0990C1A6C0D0793DA067759894044FB2958E3A01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:54.403{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18C158D48E46A387F36C23E090D133D,SHA256=F4794BC039BF0746BE6B1F25563511663E9209A3AEAFB1C4ED7BBD05E8DCFE06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.459{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=885F98AE72623888AD495D3680AB3A18,SHA256=1257B669E22A88661FB62020634537DF1BA7C78F081CF20849EEFC3C498E2FDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.365{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC217ED82904EA6850AF161700A73D2,SHA256=4130121C83790CE44DC1736039903144103C85D5F40DE30C51CE33090DD0FF41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.261{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.260{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:55.488{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75794DDAA35A09DC703AB8A474C9113,SHA256=93AAA894119CA8DA5ED0C2FBB70A6CDD667E466E695687CED74FE8A09E155544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:55.876{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D70DDE17ACBA7C1F2498EFAC4895C1F3,SHA256=1B21FD4A13583B947A60C74580CE7C24856C4BA3E470094A0C9BE8B6A8F86F6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:55.443{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D491116018890476F2C2BC9C3A284B,SHA256=83652288707AE9521927A27C848D9FD9D2F183DD32C7121903B8D9C700591EE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:56.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA303F361905360AB59EB91EAE328D8A,SHA256=F65CDF4A12DC6B753002663759A7498C7AEFB14F5FA76514413DBFEE2D0503A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:56.529{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7556D170D3D3F4B0DA4746E76218E073,SHA256=C6B8DC326322236199B0AAD55B963CCA70A884DF9661F04FD505A0B2211E133E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.316{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56271-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.316{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56271-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000015922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:55.092{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50071-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:57.667{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1526E6632202FA2C10A9AF2C0978787,SHA256=854AFB4C93E17D66D72B70A39909F25D208261472B122BCD1823979434260D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:57.619{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9305CA0E5257D0A1F8605161E34BB402,SHA256=CD403FF92471DFCCDA0320704C8E7337C809DC467387B9AD028B2D0F3C4130F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:58.775{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18754BC93C11B5EB618E89021ED93D87,SHA256=27767D212F575D9CAA3A43152BBB9BA9476DB94AF82C599DD21E3ED6CABBFF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:58.682{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B093E640E3785CB93A70B222AAF2714,SHA256=4D1932DADA77D5DBD716722FA97483E08E13FB016255545E9701F086EFCC05A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:59.860{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFFD94962241FDC0AEE2E41ADD1E8BD,SHA256=17D7C1CB652F3A2E0D355530371B5CC5CA1F5DC7255594AB7C9AACE181382A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:59.753{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BD3128713B4FE6ECC0C232F5BF8FEA,SHA256=BC6EC9B2438730C1C6DFEE192A7D1D547588F5C822E7EFD87E10B080624E48E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:59.643{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3A47DB6F7C9FAE0D8187FEEC0A339147,SHA256=55103801A23A006272F9528450CAC89E9AD72D5877DDF78AA47AD7FC25097225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:57.598{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56272-false10.0.1.12-8000- 23542300x800000000000000015925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:00.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C4A81B8323E503C831A667162DEC08,SHA256=58700C9AF5BED96586F3C23DDF3DFD8146D09DF0BD94B84AA2461A5EF28B7BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:00.850{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402FF2B56DE6A34A8CB9C196A9F28DBD,SHA256=CB2562A168298590E7C9597F9E30520428A4F5532D38BC1077C249E58B287CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:01.936{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AA4E4CBA944C866BD73424F8DC8EA8,SHA256=366358592CA88C7E7E88C197D079CC9730961886AB3AE5CF86751C01F48BFCFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:01.466{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9B631E6F0623812CFB3F99A1452456F,SHA256=305483267BB6A7E61F8F4860B27E07BB04CB023A790A11793BDC5AF86479BACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.797{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.793{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.792{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.783{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.776{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.775{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.685{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.669{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.650{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.641{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.604{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.595{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.587{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.561{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.051{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052A6B339D039F306FB796728C5A729C,SHA256=D53FB37E92418526B655B4078B934230FC3261F0FEDA9C7EAF983DC3215B8C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:00.114{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50072-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:03.175{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAF5CE4C63FAFC9213D00F245D2C332,SHA256=1727F1DD207354A068DF0D87949958C543C0913A0E6E6B302E171E57DB57F6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:03.023{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEFE74C76DDAABBEF6509DB23496587,SHA256=3F2B32766A9EBCD3EC7580F4EA9937B8C6A061165A10D32ED85D6D9EBB225A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:04.421{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A3CB4BD92E72260A4C30B7A24F8722,SHA256=C0328C0E7B9060024DA50C5B79DCAA64F067CADE1194C21FF4411CA86B2A2F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:04.110{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E49039B2E75C789F46F32314B057E19,SHA256=C3AD37BB167CC711032A9C17F33D99B1417E4BACB6CE1E1BE04234B9EC684F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:04.001{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:05.512{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F2C699398615F6E320FF51D4156432,SHA256=A7B675EE61C8D3B4E39DDD5C79A6335E247CF634B3FC1A87AF90D43A2495C80F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:03.563{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56273-false10.0.1.12-8000- 23542300x800000000000000041225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:05.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02917B5ED0B85891931BE24131E04AC4,SHA256=C73DDC0B5FCA9FD03028AD7C450F8CE7D3486308FDDF399B839A13299A9913B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4C2976F92F571827D8B27F3C1A55E2,SHA256=8ED9A74B97A4A6C1972D20A7A4006CCCA6AF8826398C1FF95E8EC0574ECF13C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:06.265{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217BF0DECFE9032D36327552294D9A86,SHA256=FA19AC851F25F2DB0444051CDF844BA59C57F288D6D898529DBBA48F8C38223C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.416{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-031MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:03.865{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50073-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000041228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:07.338{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9529A8D76D777959985A25CE7A63A36,SHA256=028D4F165D5BC77B5BC81141F566DD72FE72BFB23FA6B5CE8B923870CC31F8C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:07.707{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D287E91960DAED90B67084D3F8FA62,SHA256=A0859D0B51187964B84A6B97FE8FD5D948E0AFCDAE8ED8957694A0004530739F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:07.419{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:08.786{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53545FE670D7EC338D452FA9F9803339,SHA256=11FDD7F09815280206DBC25B20B97738E28FE454ACFFA56BE639E5EE21B0DBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:08.399{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247D9B136B597C61E38E74BBFBA10B21,SHA256=C1368EB075D7EC86113FC95CB085F2281BD02909FE5F9F44AE5D293089C6A84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.044{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50074-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:09.880{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D701C34646FA72CE8E4A309BD460090,SHA256=9A2549234ED74EF4F6BA9BAC9E82C3A7E31895135A9B59DB92CD5033196D8A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:09.491{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D2320E416E649F31EE990E4E0BBF49,SHA256=422147BDA53AF070991E6E6CD72320504870EC95EEF7EBE424E2C049B75AFD97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:10.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C18901676CDB30BF72AEAEAC11C253,SHA256=DE9B5288047C55F05AD73E5B99A592B24E34194FBF27364D99A168DE49DC52FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:10.550{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA8FCDD5F1C97BF58876933D5F412B0,SHA256=650096553CE645A641901D98B1205A7E612FBDB744563B47A887DF0B14A81976,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.881{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=1F6B43A4197794E0789AD4C567112528,SHA256=79720992BA90EAA44941297893AA16A4E6C4A52F2517431FD9C8A7EFF0F19596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.880{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_yyrbNlDfAcaWq2jMD5=EDDD19EABCACDF72C22DD4198373AFAD,SHA256=BF3593062333C876364714BD4F7EB87A212489F5DCCD335310B62880386961F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.869{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AFF93FB1DE9C4530D927342315E6DC14,SHA256=16503C6961D2AB021B54BE34698240BB888A75487D6CBE70F936D91934F8E0DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000041242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:09.551{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56274-false10.0.1.12-8000- 10341000x800000000000000041241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.629{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE3230E9594A69F977D6BBE19A9D955,SHA256=F7FE404E7F6344C0E18025FDA367F23F3C5F01E4F77A24745ADDDBB9FD3D49DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:12.763{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631CB3F85AD609B7EA5A0A707127C10B,SHA256=7DD109A7AA3307708974615C46612468A632F708270FC12A7EC43FFDB2BC87BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:12.064{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057187F39BA13DC8B7C22585DA0BBC68,SHA256=56785CDA1F81C0C4FF3CBDEA3B24C575BA3197C08B1576826E7E540232738013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:12.189{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:13.861{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA5C481779D11D27796620E6DABCC8,SHA256=9CDEA3DB87C527546AAD8591035578379B1CB6DC2B6EBF0FAE39F57A4897E1E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:13.154{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F20FB8F41D18A961520310FC01C3D42,SHA256=AD610A749B596D576CD85D1A178BEEAC2A42DBAF45E555BBE4E86F718909860A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.948{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A01094000E55CEE40DCCDB6F896725,SHA256=4F552D51F587EF41DDF97B848036EC48A122A71170485831F297A041D99DA040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:12.085{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50075-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:14.247{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF48232690C71DC0538028710BBA47F,SHA256=35105AB1AA516713CFA7D9BEE3321E76486DD5FAEE24562EE0FF91E14FA2A0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.528{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=C47C3260A1393792899F7083D65EA6B9,SHA256=358D8A718C03A019D64845D0A809425313C70DC8F7B973DB545E127C04732D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.221{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.220{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:15.319{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F7461DB15266C6FE9E3563A5467331,SHA256=D7A626B794683D4685B95D57CD5FF505A46AAD0B2AE3AF9905A09A5B0DC57135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:16.402{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246F9004665F1D32EE3D6DAAFAF59EB3,SHA256=BB1D728D0E80880A44708A0A623EE4427BBF4A440775A8B0CDC918C7881CF55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:16.386{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AF650FEAB06C60404B4CBECECE0DF6B7,SHA256=8C320C30A1BE205FCA6691B6345CE89CB9FA40D2E21A40C362288CF98F946224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:16.022{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C988FF2AC66690BF931AE85D60E3B,SHA256=2E42D7A2281643128F9C179E91AD85E31DA9227DB648EB0D0755283FE492A9CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:17.492{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E06CFCFD0B0B6BFB44BB281667CE015,SHA256=1570AA65C6EFDD756D28A32148C5E230EF9CD648971F67C2D68D9E60D114D012,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000015988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e49f7) 13241300x800000000000000015987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xd7c4b8aa) 13241300x800000000000000015986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x398920aa) 13241300x800000000000000015985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x9b4d88aa) 13241300x800000000000000015984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000015983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e49f7) 13241300x800000000000000015982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xd7c4b8aa) 13241300x800000000000000015981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x398920aa) 13241300x800000000000000015980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x9b4d88aa) 354300x800000000000000041291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.609{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56275-false10.0.1.12-8000- 23542300x800000000000000041290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:17.118{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA9EB4D256AF0E296EE1D83702FEC52,SHA256=1F32DE753C5B88B072B417E00AFEFE576358AFF2AB4204C832EB811A2A69CA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:18.487{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD00EFD154754B7B8F213B4672B7C51B,SHA256=B42A830F15F3C487B06F8B2A0B1EC631122CF3A9B1054F99C2400EE881D035DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:18.196{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9900E04B2205E30754280AB7BAD5377D,SHA256=C1B23C7104BF422FF8D134017A366452ADB49848C4A468568730F567745E2D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:19.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D741144E49771CD39306E9449898E660,SHA256=E316CC1C3D75D5B951BC23F977F8CF9459176CFB75071E7F85E47942571F59E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:18.069{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50076-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:19.273{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC03A3898FD914F6144F9CF57A7F69D0,SHA256=6B69471B730DEA9CEA63180D05CB35959AA67B5C80C8BE9FC4505BE6B9514D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:20.870{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2D8A3E23B1A8378F1C8008FBB0E070,SHA256=D1B9718E9A5E06FFA21E2C39DD9927CDF7C6B7A77E24378EBB9C7926095E6AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:20.335{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F957DF7F62266C500020D773DD9B479,SHA256=14E1E7274174023F091FD8A7A15CCA50223DFBE7F90E66418715AF1E7E36F75D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:21.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0478831C72F4789D5D9DBA1946A2D93,SHA256=1F28A398A14CF8A4542C275BDF7B551437447297D7E4659953AF6094992BD8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:21.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D9B3DA00E5B2ABC8C97686EA576E55,SHA256=BA986568D1ED48C826CFF9D698C6F752974745D07712A9F5C789A46D8103BDB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:20.617{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56276-false10.0.1.12-8000- 23542300x800000000000000041296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:22.477{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B674928EA745FEF64DBEEB96DB5A4,SHA256=C7A91E7A2DAA33FD5BF0D60FD213700AA78554E60F2975B44DBB027AFA171A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.760{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.746{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.693{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.654{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.624{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.618{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.579{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.571{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.553{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 23542300x800000000000000041298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:23.557{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B12B7ABA5D378088F74563BA2482BE,SHA256=E765D528A2E071CC22204F7B3C26CF446B2FBAF2F6F332012219815EA6BD614D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:23.404{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45F712E808CB2F2039DC2C6E2CB4D58,SHA256=FFAD6D96BDFA9CA784304A27C3D0FBC7E25E3C81B367C80A3BF33987A8E19959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:24.636{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40231073FDAC30DB3E664D537D53174F,SHA256=1686A8D14DB7E2B2484FFA00D6879ED375DA7E4D61387CFEA8753E5EB48E12E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:24.420{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE1C0B185BD330737518B7EC0C5F0C0,SHA256=383C67CEA3FDAFE16B1E36D3E1F50E822F572378D33410A68BF21883FBA32C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:25.728{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F760050DEFDDE048E508CC9EE1EE67,SHA256=7FBB27E994298B67CC7969A992EAFFE3306D03FE677C4DC78FCF27023ADD353A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:24.004{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50077-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.504{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC9983370CC5F81141DB864F65D57B3,SHA256=1B5E5167E93304ED72DC65937E6C8C9CB4224BC9C2E53471F50260E867DE7917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.847{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA05A19C09ABC5FE8C682B879CC0241C,SHA256=EACE0CEA69D538C35A9C199E0FAC5FB9C25796C1C1E95B1A0BAB35D3DCA9BBE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:26.582{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D2784E53E5F1E55913ECA7A7BFEAFB,SHA256=AD7044E1F15692BCD580A435C0629C5C3330AB8E5A892DA94964CC2B46839406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.524{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A6BB2A29C4B4BCDEB7967574BEA0288,SHA256=279B65B990390D063FBBF1442012A12D0A5A798220C56E2826880C86946C329D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.935{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0876545AD3C8F71F4FA8905CFD51573,SHA256=D82AA95E5B7F8D3FC40AFBA959AF038AE69216CAE828F89D7BA00895A2D10297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:27.677{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DCD7C81E3AFBB6416868E1749917F6,SHA256=E1988674866D1C60CF88C6286FDD89DD4E301CED5469A41E14389739A8B703E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.541{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:28.768{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA7376460DD5967FF3DEF538D55521B,SHA256=89ED73C6B595B92315E584698BFDDE055CF4D29369375A5BEBE419FD4A70A928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.634{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56277-false10.0.1.12-8000- 23542300x800000000000000016065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.939{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6840D2DDC2F5136B98F0A179A2B7A240,SHA256=D11B6ABA69744F906537FFB9705D60E53EAA5BDB188365CED9C1674BBC630787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.885{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.872{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60DA236741619A6223F3AACE66BEEF7,SHA256=563B62F45ADBC681423A43C2D29F5503EC4E38B1F11BD9E3F6C7E5067FE6D28B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.217{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.896{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.879{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3747A6021CF31176E43B15FF8B1C54CA,SHA256=32E3BAE6E3CBC5BC491A7E6A2A746C01CD2AC816F42AEA275E80D959345CBF04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C89D8D42EBD802C47B15284534EFD5E9,SHA256=92ECC6B33B5F867F422587D1698604303E7EB9C578AB6CC3C6CD90924490E625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.009{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56278-false10.0.1.12-8089- 10341000x800000000000000041314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9788262BA96A002E559CBBF8D2A0BFE,SHA256=1D00F5E220121DE7FEB8590E40A8461C5744D2B111C2CC3F011500D7DFD240AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.730{FE4C2B44-E40E-63C7-1B06-00000000AF02}62883076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.261{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176B4D94E0A16A6542781AF1F9489AB,SHA256=CF60DB61A4140C0DA940A105F47E49D562F215FFE2329FE21EACB169AA27AFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.089{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70126DDCF220C265217361429A20A9F,SHA256=A6EAFFA0978DD0B8AD3D59A3FBFA3D12031F467A835E67F02532F44EDE806EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.574{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B33AA8BB07F2205C9DC3D4E36FFF473F,SHA256=527F01D1A42C6D076DB0C205AC104B171414CD82A8DD42E9F12A1CD7FA87483E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.455{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.329{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99CFD1BCEA147AA14824C49C44BB9385,SHA256=5C657BE06DE33B109BEE196193F95F66FB7E807BD048AF8C18AD89666C0DC260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.079{E5A8D418-E40D-63C7-F601-00000000B002}18962360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000041368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.893{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D131F083030F5EF9A97E3BEEA72DB422,SHA256=EB21AB939C45AEBB2B9363AD8EB0405BD470DB8319AD338C5A34ED9C2FCD591F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.893{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_QS2VmbU54epPZXDMD5=34E4E11D25DD7704B7C6ABF73FD9819D,SHA256=DADB738618D3D9EFB35484AD30BE56240ECC0E503EDBF1D9B11786FDB29CAAB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.883{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D0B7B22DD641BAA85EA7BCF9E7B7699F,SHA256=DAE10F49CD50EEAF3E851AB278684950A06725BA61F585113A2180057BE9915E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.707{FE4C2B44-E40F-63C7-1C06-00000000AF02}65565564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.686{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.442{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30E4A216F8C1C1AE032D54E5681622,SHA256=D998BFD4751B139CB28DFD9FFA3D45F7C1D8C7CBB08A9EFCB5A3549075CF77EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.768{E5A8D418-E40F-63C7-F801-00000000B002}30483944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.018{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50078-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.612{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.059{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9E1BAD397A83F614239DC7EDC269F7,SHA256=9DA0230C663F03C4EBF877D0DFA855CE5950B39FB67999C3B979158EB370F01C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.984{E5A8D418-E410-63C7-FA01-00000000B002}18323004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.817{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.536{E5A8D418-E410-63C7-F901-00000000B002}32283240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E410-63C7-F901-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236